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ABSTRACT 


The  S-Boxes  used  in  the  AES  algorithm  are  generated  by  field  extensions  of  the 
Galois  field  over  two  elements,  called  GF(2).  Therefore,  understanding  the  field 
extensions  provides  a  method  of  analysis,  potentially  efficient  implementation,  and 
efficient  attacks.  Different  polynomials  can  be  used  to  generate  the  fields,  and  we  explore 
the  set  of  polynomials  +x  +  over  GF(2”)  where  a  is  a  primitive  element  of  GF(2”). 

The  results  of  this  work  are  the  first  steps  towards  a  full  understanding  of  the  field 

o 

that  AES  computation  occurs  in — GF(2  ).  The  charts  created  with  the  data  we  gathered 
detail  which  power  of  the  current  primitive  root  is  equal  to  previous  primitive  roots  for 
fields  up  through  GF(2'^)  created  by  polynomials  of  the  form  +  x  +  «'  for  a  primitive 
element  a  .  Currently,  a  C++  program  will  also  provide  all  the  primitive  polynomials  of 
the  form  x  +x  +  a'  for  a  primitive  element  a  over  the  fields  through  GF(2  ).  This 
work  also  led  to  a  deeper  understanding  of  certain  elements  of  a  field  and  their  equivalent 
shift  register  state.  In  addition,  given  an  irreducible  polynomial  / (x)  =  x^  +  a'x  +  over 
GF(2”),  the  period  (and  therefore  the  primitivity)  can  be  determined  by  a  new  theorem 
without  running  the  shift  register  generated  by^.^). 
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I.  INTRODUCTION 


The  S-Boxes  used  in  the  AES  algorithm  are  generated  by  field  extensions  of  the 
Galois  field  over  two  elements,  ealled  GF(2).  Therefore,  understanding  the  field 
extensions  provides  a  method  of  analysis,  potentially  effieient  implementation,  and 
efficient  attacks.  Different  polynomials  can  be  used  to  generate  the  fields — the  AES 
implementation  uses  one  set,  Canright  [1]  uses  another,  Conway  [2]  uses  another  way, 
and  we  explore  the  set  of  polynomials  +x  +  a^  over  GE(2”)  where  a  is  a  primitive 
element  of  GE(2”).  In  particular,  we  look  at  the  structure  of  the  constant  coefficients  of 
the  polynomials. 

A  primitive  element  of  a  Galois  field  of  size  is  an  element  whose  powers  are  all 
different.  Since  there  are  -  1  of  these  powers,  these  powers  actually  exhaust  all  of  the 
nonzero  elements  of  the  field.  By  definition  of  a  field  extension,  the  field  that  is  being 
extended  is  a  subfield  of  the  larger  field.  So,  elements  that  are  in  the  subfield  are  also  in 
the  extension  field.  Eor  example,  for  a  primitive  element  m  of  the  extension  field  and  for 
each  of  the  elements  s  in  the  subfield,  there  exists  a  power  e  of  m  so  that  s  =  nf . 

Suppose  x^+x  +  a^  is  a  polynomial  over  the  field  GE(2")  with  a  being  a 
primitive  element  of  GE(2”).  Using  an  algorithm  different  from  the  typical  algorithm  for 
building  fields  with  Galois  shift  registers,  we  are  able  to  show  whether  or  not  the 
polynomial  is  irreducible  (i.e.,  can  be  factored)  over  that  field.  With  a  new  theorem,  we 
are  able  to  determine  whether  or  not  the  polynomial  is  primitive  when  it  is  also 
irreducible.  In  addition,  we  use  the  alternate  algorithm  to  discover  information  about  the 
primitive  roots  from  previous  fields  in  the  hopes  that  this  will  further  our  understanding 
of  the  fields  built  by  these  particular  polynomials. 
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II.  BACKGROUND 


In  order  to  understand  the  algorithms  and  methods  presented  in  this  paper,  we 
need  to  review  some  mathematieal  eoneepts  as  well  as  other  topies  ineluding  linear  shift 
registers. 

A,  FIELD  THEORY  REVIEW 

We  need  to  first  review  some  definitions  and  results  from  abstraet  algebra.  These 
results  ean  be  found  in  any  standard  algebra  text  sueh  as  Dummit  and  Foote’s  Abstraet 
Algebra  [3]  or  Gallian’s  Contemporary  Abstraet  Algebra  [4]. 

1,  Groups 

A  group  G  is  a  set  of  elements  with  a  binary  operation  defined  on  those  elements 
that  has  the  following  properties: 

1.  The  binary  operation  is  elosed  over  the  group,  meaning  that  the  binary 
operation  performed  on  any  two  elements  of  the  group  will  result  in 
another  element  of  the  group. 

2.  The  binary  operation  is  assoeiative. 

3 .  There  exists  an  identity  element  for  the  operation. 

4.  Eaeh  element  of  the  group  has  an  inverse  for  the  operation. 

An  example  of  a  group  where  the  binary  operation  is  addition  modulo  n  is  the  set 
of  integers  0,1,2,..., n-1,  denoted  .  In  this  group,  0  is  the  identity,  and  n-k  is  the 
inverse  of  k. 

2.  Rings  and  Ideals 

A  ring  R  is  a  set  with  2  binary  operations  +  and  x,  ealled  addition  and 
multiplioation,  such  that  the  following  properties  hold: 

1 .  (R,  +)  is  a  commutative  group. 

2.  Multiplication  is  associative. 

3.  The  distributive  laws  hold  in  R:  for  all  a,  b,  c  in  R: 

(a  +  b)x c  =  (ax c)  +  (bx c)  and  ax  (b  +  c)  =  (ax b)  +  (ax c). 

A  subring  iS  of  a  ring  R  is  a  subset  of  R  that  is  also  a  ring  with  the  operations  of  R. 
A  subring  ^4  of  a  ring  R  is  an  ideal  of  R  if  for  all  r  in  R  and  for  all  a  m  A,  r a  and  ar  are  in 
A.  In  other  words,  A  absorbs  the  elements  from  R.  A  ring  R  is  a  commutative  ring  with 
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unity  if  multiplication  is  commutative  and  there  exists  a  multiplieative  identity  in  R. 
Suppose  i?  is  a  eommutative  ring  with  unity.  Let  a  be  an  element  in  R.  Then  the  set 
(a)  =  {ra\r  ^  R}  is  an  ideal  of  R  ealled  a  principal  ideal. 

Let  i?  be  a  ring  and  let  ^4  be  a  subring  of  R.  If  i?  is  a  eommutative  ring,  then 
i?[x]  =  +...  +  ajX  +  ao  |  a.  e  i?}  is  the  ring  of  polynomials  over  R. 

Theorem  1 ;  If  ^4  is  an  ideal,  then  we  may  form  the  factor  ring 
R  !  A  =  {r  +  A\r  ^  R)  .  In  this  ease,  the  set  of  cosets  {r  +  A\r  &  R)  is  a  ring  under  the 
operations; 

1.  +  (t  “1“  Al^  =  (^s  f  A  and 

2.  (s' +  y4)(t  +  y4)  =  (5t)  + y4  for  5  and  t  ini?. 

For  example,  let  M[x]  be  the  ring  of  polynomials  whose  eoeffieients  are  real 
numbers.  Let  (-^^+1)  be  the  prineipal  ideal  generated  by  x^+1.  So,  (-^^+1)  = 

{/(x)(x^ +1)  I /(x)  e  M[x]} .  Then,  the  faetor  ring  M[x]/^x^  +  l^  = 

{g(x)  +  ^x^ +l)  I  g(x)  G  M[x]}  .  Now,  sinee  g(x)  is  in  R[x],  g(x)  may  be  written  as 

g(x)  =  q{x){x^  + 1)  +  r{x)  where  the  degree  of  r(x)  is  less  than  the  degree  of  x^  + 1  by  the 
division  algorithm.  So,  r{x)  =  ax  +  b  for  some  a  and  b  in  the  real  numbers.  Therefore, 

M[x]  /  (x^  l)  “  {s' W  +  + 1)  I  §(^)  ^  } 

=  {^(x)(x^  +  1)  +  f~ix)  +  {x^  + 1^} 

=  {r(x)  +  (x^  + 1^  I  r(x)  e  M[x]}  beeause  the  ideal  (x^  + 1^  absorbs  the 

term  q{x){x^  + 1) 

=  {ax  +  b  +  {x^  + 1^  I  a,h  e  M}  by  definition  of  r(x). 

The  notation  ean  be  simplified  by  denoting  a  eoset  ax  +  b  +  {x^  +1^  by  its  coset 
representative  ax  +  b . 

An  ideal  ^4  of  a  ring  i?  is  a  proper  ideal  of  i?  if  ^4  is  a  proper  subset  of  i?.  A  proper 
ideal  ^4  of  i?  is  a  maximal  ideal  of  R  if,  whenever  B  is  an  ideal  of  R  and  A^B  <^R  ,  then 
B  =  A  ox  B  =  R  . 
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3.  Fields 

A  field  F  is  a  set  of  elements  with  two  binary  operations  +  and  • ,  usually  ealled 
addition  and  multiplication,  defined  on  it  that  has  specific  properties: 

1 .  (F,+)  is  a  commutative  group  with  identity  0. 

2.  (F-{0},*)isa  commutative  group  with  identity  1. 

3.  The  distributive  law  holds  for  all  a,  b,  c  in  F: 

a»(b  +  c)  =  (a'b)  +  (a»c) . 

Familiar  fields  include  the  rational  numbers,  the  real  numbers,  and  the  complex 
numbers.  However,  we  are  interested  in  fields  with  only  a  finite  number  of  elements, 
referred  to  as  finite  fields. 

An  example  of  a  finite  field  with  2  elements  is  the  set  {0,  1}.  Addition  and 
multiplication  in  this  field  are  defined  as  follows: 


0  +  0  =  0 

o 

* 

o 

II 

o 

0  +  1  =  1 

0*1=0 

1+0  =  1 

* 

o 

II 

o 

1  +  1=0 

1*1  =  1 

Table  1 .  Multiplication  and  Addition  Rules  in  the  Field  {0,  1 } 


For  this  field,  (logical)  XOR  is  the  addition  operation  and  (logical)  AND  is  the 
multiplication  operation. 

Theorem  2:  Finite  fields  have  only  a  prime  or  prime  power  number  of  elements. 

The  fields  with  a  prime  number  of  elements  are  represented  by  the  integers  mod 
p,  for  any  prime  p.  Addition  and  multiplication  are  done  modulo  p.  A  finite  field  that  has 
p"  elements  for  a  prime  p  and  any  positive  integer  n  is  called  a  Galois  field,  denoted 
Gvipy 
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In  a  field,  the  group  of  nonzero  elements  is  cyclic,  meaning  that  there  is  at  least 
one  element  whose  powers  exhaust  all  of  the  nonzero  elements  of  the  field.  The  order  of 
an  element  «  of  a  group  is  the  smallest  positive  integer  n  sueh  that  a"  =  1 . 

Theorem  3:  The  order  of  an  element  in  a  group  also  divides  the  number  of 
elements  in  a  group. 

Theorem  4:  Let  i?  be  a  eommutative  ring  with  unity  and  let  A  be  an  ideal  of  R. 
Then  R!  A  is  a  field  if  and  only  if  ^4  is  a  maximal  ideal. 

4.  Constructing  a  Field  of p"  Elements 

A  polynomial  over  a  particular  field  F  is  a  polynomial 
a^x"  +a„_ix"  '  + ...  +  a^x  +  a^  sueh  that  eaeh  eoeffieient  at  is  an  element  of  the  field  F.  A 

polynomials.^)  over  a  field  F  is  irreducible  iif{x)  eannot  be  faetored  as  a  produet  of  two 
polynomials,  both  defined  over  F  and  both  of  degree  lower  thanS.^)-  Otherwise,  S.^)  is 
reducible. 

Theorem  5:  Let  F  be  a  field  and  let  p{x)  be  in  F[x].  Then  [p{x))  is  a  maximal 
ideal  in  F[x]  if  and  only  if  p{x)  is  irredueible  over  F. 

Theorem  6:  If  p{x)  is  an  irredueible  polynomial,  then  F[x]/  {p{x))  is  a  field. 

In  other  words,  to  ereate  a  field  that  has  a  prime  power  p’"  of  elements,  we  need  an 
irredueible  polynomials.^)  of  degree  m  over  the  prime  field  GF(/7). 

For  example,  eonsider  Zj  =  {0, 1}  and  the  polynomial  f{x)  =  x^+x  +  \.  If f{x) 
were  redueible,  it  would  have  at  least  one  faetor  of  degree  one.  This  would  imply  thatS^) 
would  have  a  root  in  Zj .  But  /(O)  =  / (1)  =  1  implies  that  there  are  no  roots  ofS.^)  in  ^2  • 

So,  J{x)  is  irreducible.  Therefore,  Z2[x]/(/(x))  is  a  field.  And 

Z2[x]/ +x  +  l^  =  {ax^  +hx  +  c  +  ^x^  +x  +  l^  I  a,h,c  e  Zj}  is  a  field  of  2^  =8  elements. 

If  we  designate  a  coset  by  its  coset  representative,  then  the  elements  of  the  field  are 
{0, l,x,x  + 1, x^,x^  +l,x^  +x,x^  +X  +  1}  . 
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5,  Different  Representations  of  Elements  of  a  Field 

There  are  actually  several  different  ways  to  represent  the  elements  of  a  finite  field. 
Above  is  an  example  of  creating  a  field  from  the  factor  ring  F[x]/  where  F  is  a 

field  and  p{x)  is  an  irreducible  polynomial.  If  the  degree  of  p{x)  is  m  and  F  has  p^ 
elements,  then  the  field  F[x]/(/>(x))  is  called  a  degree  m  extension  field  of  F.  The 
elements  of  the  larger  field  can  be  expressed  as  m-tuples  chosen  from  the  field  F. 

Theorem  7:  Let  F{x'\l  (^p{x)'^  be  an  extension  field  such  that  F  is  a  field  and  p{x) 

is  a  degree  m  irreducible  polynomial.  Then  the  elements  of  the  extension  field  are 
isomorphic  to  the  polynomials  of  degree  less  than  m  over  F. 

Theorem  8:  If  F  is  a  field  and  p{x)  is  an  irreducible  polynomial  over  F,  then  there 
exists  a  field  K  containing  an  isomorphic  copy  of  F  in  which p{x)  has  a  root. 

In  other  words,  there  exists  an  extension  field  F  of  F  in  which  p{x)  has  a  root. 

The  order  of  a  polynomial  f{x)  is  the  smallest  integer  n  such  that  f{x) 
divides  x”  -1 .  A  primitive  polynomial  is  an  irreducible  polynomials.^)  of  degree  m  over 
GF(/7)  such  that  the  smallest  n  for  which  S.^)  divides  x"  -1  is  n  =  p"'  -  \.  For  example, 
consider  /(x)  =  x^+x  +  l  over  GF(2).  Note  that  SO)  =  1  andSl)  =  1-  So,  there  are  no 
roots  ofSx)  in  GF(2).  Therefore,  S.^)  is  irreducible  over  GF(2).  Note  also  that  addition 
and  subtraction  are  the  same  over  GF(2).  Then, 

x'  + 1  _  x'  + 1 

x^+x  +  1  x^+x  +  1 

X^+1  ,  X 

- =  1+-^ - 

X  +X+1  X  +X+1 

x'+l 

- =  x  +  l 

X  +  X  +  1 

So,  the  smallest  integer  n  such  that  x^  +  x  +  l  divides  x"  +1  is  3.  Therefore,  the 
order  oifix)  is  3  and  it  is  primitive. 
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When  creating  the  field  GVip”)  from  GF(/7)  and  an  irreducible  polynomial ^(x)  of 
degree  m,  is  not  primitive,  then  multiplication  is  as  follows: 

a{xyb{x)  =  c{x)  (modulo  p,  modulo / (x)) 

where  we  reduce  the  product  both  modulo  p  and  modulo  the  irreducible  polynomials-^). 

However,  multiplication  can  be  accomplished  much  more  easily  if  the  irreducible 
polynomials.^)  is  also  primitive. 

Theorem  9:  If  the  polynomials-^)  is  primitive,  then  a  root  a  of  the  polynomial 
J[x)  is  also  primitive,  meaning  that  the  powers  of  a  exhaust  the  nonzero  elements  of  the 
field. 

Theorem  10:  There  is  always  a  primitive  element  of  the  field  with  which  we  can 
perform  multiplication  in  this  convenient  way. 

For  example,  let  /(x)  =  x"^+x  +  l  be  a  polynomial  over  GF(2).  Note  that  f(0)  = 
SI)  =  1-  So,  fix)  has  no  roots  in  GF(2)  and  therefore  does  not  contain  a  degree  1 
polynomial  as  a  factor.  However,  it  could  still  factor  into  two  degree  2  polynomials.  The 
only  possible  degree  2  polynomial  thatS-^)  could  factor  into  that  does  not  itself  factor 
into  two  degree  1  polynomials  is  x^  +  x  +  l.  But  whenS-^)  is  divided  by  this  polynomial, 
a  remainder  of  1  results.  So,  fix)  does  not  factor  into  two  degree  2  polynomials,  and  is 
therefore  irreducible.  Suppose  that  a  is  a  root  ofS-^)-  Then,  we  can  represent  GF(2'^)  as  a 
set  of  polynomials  in  a  of  degree  less  than  4.  However,  if  we  find  a  primitive  element  in 
GF(2"^),  we  can  also  represent  the  nonzero  elements  of  the  field  as  powers  of  that 
primitive  element.  In  this  case,  a  happens  to  be  primitive,  and  we  can  create  a  table  that 
will  simplify  both  addition  and  multiplication  operations  in  the  field. 

We  verify  that  the  order  of  a  is  2"^  -1  =  15  ,  and  that  a  is  primitive. 

=  («•(«  +  1))^  =  (a^  +«)^ 

=  ((a^  +  a)(a^  +  a)){a^  +a)  =  (a^  +  afi(a^  +  a) 

6543  424  /i\3 

=  cc  -\-  (X  -V  (X  -V  (X  =  (X  *cx  +  (X  *(x  +  {(X  + 1)  +  cr 
=  {(X  +  l)cx^  +  (cx  +  V)c(  +  (cr  + 1)  +  cc^ 

=  (X  +  (X  +  (X  +  cr  +  cr  + 1  +  cr  =l 
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So,  the  order  of  a  divides  15  and  eould  be  either  3,  5,  or  15.  However, 
and  =a^»a  =  (a  +  l)a  =  a^  +a  ^1 .  Therefore,  the  order  of  a  is  15  and  it  is 
primitive.  Now  we  ean  ereate  a  table  of  the  two  different  representations  of  eaeh  element 
of  the  field  -  one  representation  as  a  polynomial  in  a  of  degree  less  than  4  and  the  other 

as  a  power  of  «  .  In  this  ease,  multiplieation  ean  now  be  defined  by  a‘»a^  =  -i)  ^ 


Element  as  a  power  of  a 

Element  as  a  polynomial  in  a 

a  ° 

1 

a  ' 

a 

a  ^ 

a  ^ 

a  ^ 

a 

a  +1 

a  ^ 

a^+a 

a  ^ 

a^+a^ 

a  ^ 

a  ^+a  +1 

a  ^ 

a^+l 

a  ^ 

a^+a 

a 

a  ^+«  +1 

a  “ 

a  a  a 

a 

a  ^+a  ^+a  +1 

13 

a 

^+1 

a 

a^+1 

Table  2.  Table  of  the  Two  Representations  of  the  Elements  of  the  Field  GF(2"^) 
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6,  Building  Fields  with  Different  Extensions 

One  can  build  fields  with  different  irreducible  polynomials  as  well  as  different 
degree  extensions. 

Theorem  11;  Fields  of  order  p"  are  all  isomorphic  to  GF (/?”). 

For  example,  the  field  GF(2^)  can  be  built  with  three  degree  2  extensions,  one 
degree  4  extension  followed  by  a  degree  2  extension,  or  one  degree  8  extension. 


Figure  1.  Different  Extensions  from  GF(2)  to  GF(2^) 

o 

First,  we  show  the  field  GF(2  )  being  built  with  three  degree  2  extensions. 
Consider  the  polynomial  /(x)  =  x^+x  +  l  over  GF(2).  As  we  saw  above,  j{x)  is 
irreducible  and  primitive.  Therefore,  GF(2)/^x^ +x  +  l^  is  a  field  of  4  elements  and 

isomorphic  to  GF(2  ).  Suppose  a  is  a  root  The  order  of  a  is  3,  and  a  is  primitive. 

All  of  the  nonzero  elements  of  GF(2  )  can  be  expressed  as  powers  of  a  as  we  showed 

2  2 

earlier.  Now  consider  the  field  GF(2  )  and  the  polynomial  g(x)  =  x  +  x  +  a  .  Since  g(0)  = 
g(l)  =  a  and  g(a)  =  g{a  )  =  a  ,  g(x)  is  irreducible.  Therefore,  GF{2  )/(x  +x  +  a)  is 
isomorphic  to  GF(2'^).  Let  h  be  a  root  of  g(x).  Since  h  is  a  root  of  g(x). 
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g{b)  =  Z)^+Z)  +  a  =  0  which  implies  =  b  + a  An  Table  2.3,  we  show  that  the  order  of  b 
is  15.  So,  b  is  primitive  and  eaeh  nonzero  element  of  GF(2"^)  ean  be  written  as  a  power  of 
b.  The  table  of  the  powers  of  b  is  below. 


1 

h' 

b 

b^ 

b+a 

b^ 

a^b+a 

b^ 

b+1 

b^ 

a 

b^ 

ab 

b^ 

ab+a^ 

b^ 

b+a^ 

b^ 

ab+a 

h" 

a^b 

a^b+\ 

ab+\ 

a^b+a^ 

Table  3.  Table  of  the  Two  Representations  of  the  Elements  of  the  Field  GF(2"^) 

5  2 

Note  that  b  =  a  .  So  even  though  a  is  an  element  of  the  smaller  field  GF(2  ), 
there  is  a  eopy  of  it  (as  well  as  and  =  1 )  in  the  bigger  field  GF(2'^). 

Consider  the  polynomial  h(x)  =  x^  +x  +  b^  over  GF(2'^).  It  ean  be  shown  that  no 
elements  of  GF(2"^)  are  roots  of  h(x)  similar  to  the  way  that  we  showed  \ksLij{x)  has  no 


11 


roots  in  GF(2).  So,  h{x)  cannot  be  factored  and  is  irreducible.  Therefore,  GF(X)I  {h{x)) 
is  isomorphic  to  the  field  GF(2  ).  Note  that  for  this  paper,  we  are  mainly  interested  in 
degree  2  extensions  of  the  form  x^  +x  +  a‘  for  some  primitive  element  a  .  In  this  case, 
we  use  a  to  denote  a  primitive  element  in  GF(2  ),  b  to  denote  a  primitive  element  in 

4  8 

GF(2  ),  c  to  denote  a  primitive  element  in  GF(2  ),  d  to  denote  a  primitive  element  in 
GF(2‘^)  and  so  on. 

g 

Now,  we  can  also  build  GF(2  )  from  GF(2)  using  a  degree  4  extension  followed 
by  a  degree  2  extension.  For  example,  take  GF(2)  and  the  polynomial  s{x)  =  x'^  +  x  +  \ . 
We  have  already  shown  that  ^(x)  is  irreducible  and  that  the  root  a  of  ^(x)  is  primitive. 
So,  the  field  GF{2)/ (^s{x))  is  isomorphic  to  GF(2"^).  Consider  the  polynomial 

t{x)  =  x^  +  X  +  «"  over  GF(2'^).  Again,  it  can  be  shown  that  t{x)  is  irreducible  over  GF(2"^) 
by  showing  that  there  are  no  roots  of  t{x)  in  GF(2"^)  and  that  therefore,  the  polynomial 
cannot  be  factored.  So,  GF{2'^)/ (t{x)'^  is  a  field  of  2^  elements  and  is  isomorphic  to 
GF(2^). 

g  g 

Since  2  is  a  power  of  a  prime,  we  can  also  build  GF(2  )  directly  from  GF(2)  with 
just  one  extension  of  degree  8.  Consider  the  polynomial  v(x)  =  x^ +x'^ +x^ +x  +  l  over 
GF(2).  Now  v(0)  =  v(l)  =  1 ,  so  there  are  no  roots  of  v(x)  in  GF(2).  Therefore,  v(x)  cannot 
be  factored  into  any  degree  1  polynomials.  The  only  irreducible  degree  2  polynomial  over 
GF(2)  is  x^  +  X  + 1 ,  and  the  remainder  when  v(x)  is  divided  by  it  is  x  + 1 .  So,  v(x)  is  not 
divisible  by  any  degree  2  polynomials  that  do  not  themselves  factor.  There  are  two 
degree  3  irreducible  polynomials  over  GF(2) — x^  +  x  +  l  and  x^  +  x^  +1 .  However,  when 
v(x)  is  divided  by  each  of  them,  the  remainders  are  x  + 1  and  x^ ,  respectively.  Thus,  v(x) 
is  not  divisible  by  any  degree  3  irreducible  polynomials  over  GF(2).  Now, 
x"*  +  x^  +  x^  +  X  + 1 ,  x"*  +  x^  + 1 ,  and  x"*  +  x  + 1  are  the  only  degree  4  irreducible 
polynomials  over  GF(2),  and  the  remainders  are  x^+x^,  x^+x^,  and  x^+x^+1, 
respectively,  when  v(x)  is  divided  by  each  of  the  polynomials.  There  is  no  need  to  check 
any  other  degrees.  For  example,  if  v(x)  was  divisible  by  a  degree  5  polynomial,  then  it 
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must  be  divisible  by  a  degree  3  polynomial.  Therefore,  v(x)  eannot  be  faetored  and  is 
irredueible.  So,  GF{2)/  (v{x))  is  a  field  of  order  2^  and  is  isomorphie  to  GF(2^). 

7.  Conjugates 

Let  P  be  an  element  of  GVijF).  The  conjugates  of  (3  with  respeet  to  GF(/7)  are 

2  3 

(5,(5’’ ,(5^  ,(5’  The  set  of  eonjugates  of  (5  form  the  conjugacy  class  of (5 . 

Theorem  12:  The  eonjugaey  elass  of  (5  in  G¥{p’‘)  eontains  d  elements,  where  d  is 
the  smallest  integer  sueh  that  (5’  =  (5 . 

For  example,  eonsider  GF(2^)  and  let  a  1  be  a  nonzero  element  in  GF(2^).  The 

2  2  2^  4  2^  1  2  4 

eonjugaey  elass  of  a  is  {a, (a)  =a  ,(a)  =a  ,(a)  =a}  =  {«,«,«}.  The 
eonjugaey  elass  of  0  is  {0}  and  the  eonjugaey  elass  of  1  is  {1}. 

Theorem  13:  Lety(x)  be  a  primitive  polynomial  over  a  field,  and  let  «  be  a  root 
offjc).  Then,  the  roots  of^-^)  are  exaetly  the  eonjugates  of  a  . 

Theorem  14:  If  elements  are  in  the  same  eonjugaey  elass,  then  they  have  the  same 

order. 

B,  LINEAR  FEEDBACK  SHIFT  REGISTERS  (LFSR) 

Linear  feedbaek  shift  registers  are  an  important  tool  that  ean  be  used  to  build  the 
fields  GF(2”).  Golomb’s  Shift  Register  Sequenees  [5]  is  a  good  referenee  for  linear 
feedbaek  shift  registers.  Fellin’ s  Primitive  Shift  Registers  [6]  is  also  a  good  quiek 
introduction. 

1.  An  Overview  of  LFSR’s 

A  binary  shift  register  of  span  n  is  a  set  of  n  storage  elements,  each  holding  either 
a  0  or  a  1 .  The  content  of  the  n  storage  elements  is  the  state  of  the  register  at  a  particular 
time.  A  feedback  function  is  also  associated  with  the  shift  register.  When  a  new  bit  is 
needed,  each  bit  in  the  register  at  a  particular  time  is  shifted  in  the  direction  of  the 
increasing  index  at  the  next  time  until  the  feedback  function  determines  the  bit  in  the 
lowest-order  element.  Let  Si  be  the  contents  of  the  ith  storage  element  at  a  particular  time 
for  a  shift  register  with  n  storage  elements.  In  general,  if  the  feedback  function  at  time  t  is 
/(5o,...,Vi)  =  +...  +  c„_2V2 +G-1V1  =  ■^o  a  time  t  +  1  for  c.  e{0,l}  where  addition 
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is  performed  modulo  2,  then  the  shift  register  is  a  linear  feedback  shift  register  (because 
5o  is  a  linear  function  of  the  other  5,’s).  The  output  tap  is  Sn-\-  The  shift  register  is 
completely  dependent  on  its  previous  state  and  the  feedback  function.  So,  once  the  state 
returns  to  its  initial  state,  we  know  exactly  what  the  sequence  of  next  states  of  the  register 
will  be.  The  period  of  a  shift  register  is  the  length  of  the  output  sequence  before  the 
sequence  starts  to  repeat. 

Theorem  15:  The  period  is  at  most  2"  -1  where  n  is  the  number  of  registers  in  the 
LFSR  since  the  all  0  state  cannot  appear  on  a  cycle  which  includes  Is. 

Note  that  if  the  register  is  initialized  with  s.  =  0  for  all  i,  the  output  sequence 

would  be  00000...  . 

2,  Galois  Shift  Register 

An  example  of  a  LFSR  is  the  Galois  shift  register.  Instead  of  the  general  feedback 
function  described  above,  the  contents  of  the  storage  elements  are  XOR’ed  together 
based  on  the  design  of  the  particular  Galois  shift  register  [7].  This  design  is  explained  in 
the  section  below. 


Figure  2.  Galois  Shift  Register  Generated  by  /(x)  =  +  x  + 1 

If  we  initialize  the  contents  of  the  storage  elements  with  0  1,  the  states  of  the 
Galois  shift  register  are: 
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^1 

^0 

time  0 

0 

1 

time  1 

1 

0 

time  2 

1 

1 

time  3 

0 

1 

Table  4.  States  of  the  Galois  Shift  Register 
and  are  calculated  by  the  following  rules: 

new  5o  =  1  ‘old^i 

new  Si  =  old  5i  +  old  so  (modulo  2) 


The  output  sequence  of  this  shift  register  is  011011011...  .Galois  shift  registers 
are  very  useful  for  creating  fields  since  there  exists  a  mapping  of  a  state  to  the  nonzero 
elements  of  a  field. 

3,  Polynomial  Associated  with  LFSR 

By  definition,  the  characteristic  polynomial  of  the  sequence  of  bits  that  make  up 
the  contents  of  the  n  registers  at  time  t  and  of  the  shift  register  itself  is 

n-\ 

fix) =  X” +  ^c,x'  ,  where  the  c/’s  are  the  feedback  function  coefficients.  This 

;=0 

polynomial  generates  the  LFSR.  Consider  the  polynomial  g(x)  = 

x"  +v^_jx"  '  +  ^  +  ...  +  VjX  +  Vo .  Then,  the  Galois  shift  register  it  generates  is  below. 


Figure  3. 


Generic  Galois  Shift  Register 
15 


4,  How  Galois  LFSRs  Can  be  Used  to  Build  Fields 

We  can  build  all  of  the  nonzero  elements  of  a  field  with  Galois  shift  registers.  For 
example,  recall  the  primitive  polynomial  /(x)  =  +  x  +  l  over  GF(2).  Let  a  be  one  root 

ofy(^)  in  the  field  GF{2^)  =  GF{2)/(^f{x)'j.  Each  element  of  GF(2^)  can  be  written  as 

s»a'  +t»a^  for  s  and  t  in  GF(2).  So  there  will  be  2  storage  elements  in  the  shift  register. 
One  storage  element  holds  the  coefficient  of  a  and  the  other  holds  the  coefficient  of 
Next,  we  determine  how^^)  affects  the  feedback,  which  is  the  coefficient  of  a  .  But 
=  a +  \  in  this  field.  So,  the  feedback  goes  to  the  registers  that  hold  the  coefficients  of 
the  a  and  a°  terms,  i.e.,  and  5°,  respectively. 


Figure  4.  Galois  Shift  Register  Generated  by  /(x)  =  x^  +  x  + 1 

Each  subsequent  step  of  the  shift  register  is  equivalent  to  multiplying  the  element 
of  the  field  (which  is  equivalent  to  the  current  state  of  the  shift  register)  by  a  and  then 
reducing  that  result  modulo  This  occurs  because  shifting  the  contents  of  the  registers 
is  equivalent  to  multiplication  by  a  and  XOR’ing  the  coefficients  is  equivalent  to 
reducing  modulo  2. 

To  see  this,  look  at  the  table  of  states  for  the  shift  register  generated  hyj[x)  below. 


power  of  a 

contents  of  registers 

equivalent  polynomial  in  a 

time  0 

0 

a 

0  1 

0*a +  1*1  =  1 

time  1 

1 

a 

1  0 

l*a  +  0*1  =  a 

time  2 

2 

a 

1  1 

l*a  +  1*1  =  a  +  1 

Table  5.  Contents  of  Galois  Shift  Register  and  Equivalent  Eield  Elements 
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Note  that  the  state  of  the  register  at  time  2  verities  the  relationship  =a  +  \, 
which  is  equivalent  to  the  fact  that  a  is  a  root  of  the  polynomial /(x). 

Now,  we  used  primitive  polynomials  to  build  the  shift  register,  but  we  could  have 
just  as  easily  used  an  irreducible  polynomial  that  was  not  primitive  to  build  the  shift 
register.  However,  a  root  of  an  imprimitive  polynomial  is  not  primitive,  and  therefore  the 
powers  of  the  root  will  not  exhaust  all  the  nonzero  elements  of  the  field.  Since  the  result 
of  each  step  of  the  register  is  equivalent  to  multiplying  the  current  element  by  the  root  of 
the  imprimitive  polynomial  used  to  build  the  shift  register,  the  states  of  the  shift  register 
will  not  result  in  all  of  the  nonzero  elements  of  the  field  appearing.  All  the  nonzero 
elements  of  the  field  appearing  are  equivalent  to  all  the  different  states  of  a  Galois  shift 
register  appearing.  This  happens  only  if  the  polynomial  used  to  create  the  register  is 
primitive. 

For  example,  consider  the  polynomial  h{x)  =  x^  +x  +  b^  over  GF(2'^)  = 

Now,  h{x)  has  no  roots  in  GF(2\ 

so  it  is  irreducible.  The  Galois  shift  register  generated  by  h{x)  is  below. 


Figure  5 .  Galois  Shift  Register  Generated  by  x^  +x  +  b^ 

If  we  initialize  the  contents  of  the  storage  elements  with  0  1,  the  states  of  the 
Galois  shift  register  are; 
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^1 

^0 

time  0 

0 

1 

time  1 

1 

0 

time  2 

1 

b^ 

time  3 

b^^ 

b^ 

time  85 

0 

1 

Table  6.  States  of  the  Galois  Shift  Register  Generated  by  +x  +  b^ 
and  are  ealeulated  by  the  following  rules: 

new  sq  =  b  ‘old 

new  =  old  +  old  so  (modulo  2) 

Sinee  the  period  of  this  shift  register  is  85,  the  polynomial  h{x)  =  x^+x  +  b^  is 
irredueible  but  not  primitive  over  GF(2"^). 
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III.  MATH  TOOLS 


In  order  to  gather  data  about  primitive  polynomials  of  the  form  +x  + a' ,  we 
wrote  two  programs.  One  program,  written  in  Mathematiea,  used  the  Standard  Algorithm 
for  Galois  shift  registers  explained  in  Chapter  II.  Because  computations  are  done  in  the 
field  using  built-in  functions  as  well  as  a  special  library  [8],  the  program  runs  slowly.  As 
a  result,  we  took  a  new  approach  and  looked  at  the  Exponential  Algorithm  for  building 
fields  with  Galois  shift  registers.  We  programmed  this  new  approach  in  C++.  However, 
the  Exponential  Algorithm  requires  the  Galois  shift  register  table  for  every  previous 
extension  field.  So,  this  C++  program  needs  a  lot  of  memory,  and  it  does  not  take  long 
for  a  typical  32-bit  x86  based  machine  to  be  insufficient.  On  the  other  hand,  the  C++ 
program  is  far  superior  to  the  Mathematiea  program  in  terms  of  its  runtime. 

A.  MATHEMATICA  PROGRAM  INSIGHTS 

In  order  to  determine  whether  or  not  polynomials  of  the  form  x^  +x  +  a‘  are 
primitive  over  a  given  field  and  also  to  determine  which  power  of  the  current  primitive 
root  is  equal  to  previous  primitive  roots,  we  programmed  a  Galois  shift  register  in 
Mathematiea.  When  this  particular  shift  register  is  run,  addition  and  multiplication  of  the 
elements  in  the  field  are  still  being  performed.  So,  for  the  Standard  Algorithm  for  the 
Galois  shift  register  as  described  in  Chapter  II  and  above,  we  still  need  computational 
algebra  software.  With  the  help  of  a  Galois  theory  library  for  Mathematiea  [8],  the 
algorithm  is  simple.  Also,  we  minimized  the  work  that  the  program  did  via  the 
procedures  explained  below.  The  output  of  the  program  is  just  the  states  of  the  shift 
register,  and  an  example  is  in  Appendix  A. 

1.  Existence  of  Irreducible  Polynomials 

The  first  step  to  finding  primitive  polynomials  of  the  form  x^  +x  + a'  for  some 
primitive  element  a  in  GP(2”)  and  some  positive  integer  i  over  a  particular  field  GP(2”) 
is  to  find  irreducible  polynomials  of  that  form.  So,  we  minimized  the  work  that  the 
program  did  by  ignoring  reducible  polynomials  of  the  form  +  x  +  a'  over  each  field. 
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We  can  determine  if  irreducible  polynomials  of  the  form  +  x  +  a‘  exist  over  a 
particular  field  by  using  a  counting  argument.  However,  since  we  know  the  total  number 
of  polynomials  of  the  form  x^  +  x  +  a‘ ,  we  can  also  find  the  number  of  reducible 
polynomials  of  that  form  and  then  subtract. 

For  example,  consider  polynomials  over  GF(2^).  We  know  all  degree  2  monic 
polynomials  over  the  field  are  of  the  form  x  +ax  +  b  where  a  and  b  are  in  GF(2  ).  Since 
there  are  four  choices  for  each  of  a  and  b,  that  leaves  us  with  16  different  monic  degree  2 
polynomials  over  the  field.  Now,  we  need  to  determine  which  ones  are  irreducible  and 
which  ones  are  reducible.  Suppose  that  x^  +  ax +  b  is  reducible.  Then  the  polynomial 
factors  into  two  degree  1  terms.  In  other  words,  x^  +  ax +  b=  (x  +  s){x  + 1)  for  some  5  and 
t  in  GF(2  ).  We  know  all  the  possible  values  for  s  and  t,  so  we  can  create  a  table  of  all  the 
possible  products  of  (x  +  s)  and  (x  +  t)  . 


s 

* 

0 

1 

a 

0 

2 

X 

2  , 

X  +x 

x^  +ax 

x^ 

+  a^x 

t  1 

2  , 

X  +x 

x^  +1 

x^  +a^x  +  a 

x^ 

+  «x  +  a^ 

a 

x^  +«x 

x^  +«^x  +  « 

2  2 

X  +a 

x^ 

+  X  + 1 

2  2 

X  +a  X 

X  +ax  +  a^ 

X^  +  X  +  1 

x^ 

+  a 

Table  7.  Multiplication  Table  of  All  Possible  Products  of  (x  +  5)  and  (x  +  t) . 

After  taking  all  of  the  possible  products  of  (x  +  5)  and  (x  +  t) ,  there  are  only  10 
different  monic  degree  2  polynomials.  So,  x^,  x^+x,  x^+1,  x^+«x,  x^+«^x  +  «, 
x^  +a^ ,  x^  +  a^x ,  x^  +  ax +  a^ ,  x^  +  x  + 1 ,  and  x^  +  a  are  the  only  polynomials  that  can 
be  factored  into  (x  +  5)(x  +  t)  for  some  5  and  t  in  GF(2^).  This  means  that  there  are  16  - 
10  =  6  monic  degree  2  polynomials  that  cannot  be  factored.  In  other  words,  they  are 
irreducible. 
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2.  Irreducible  Polynomials  over  a  Field 

If  we  look  at  the  problem  from  a  different  angle,  we  ean  program  the  seareh  for 
redueible  polynomials.  Suppose =  x^+x  +  a‘  is  redueible  and  that  and  are 
roots.  Then,  =  x^+x  +  a'  =  (x  +  a^)(x  +  a^)  =  x^  +(a^  +a^)x  +  a^^'‘ .  This  only 
happens  if  +a^  =1 .  Onee  we  find  a  pair  (/,  k)  for  whieh  relationship  holds,  we  know 
that  the  polynomial  x^  +  x  +  a''^  is  redueible.  Thus,  we  do  not  need  to  run  the  shift 
register  generated  by  the  polynomial  to  test  if  it  is  primitive. 

3.  Testing  One  Root  Per  Conjugacy  Class 

We  know  that  elements  in  the  same  eonjugaey  elass  have  the  same  order.  So,  if 
x^+x  +  a‘  is  a  primitive  polynomial  over  GF(2"),  then  so  is  x^+x  +  («')^  for  every 

■y/c 

(a')  in  the  eonjugaey  class  of  a'.  Therefore,  we  only  need  to  run  the  shift  register 
generated  by  x^  +  x  +  a‘  to  determine  the  periods  of  the  polynomials  whose  constant 
coefficients  are  in  the  conjugacy  class  of  a‘ . 

4.  Mathematica  Program  Pseudocode 

For  example,  the  pseudocode  for  the  Mathematica  Program  that  builds  GF(2'^)  is 
below  and  the  actual  code  is  in  Appendix  B. 


Pseudocode  for  building  GF(2^16): 
set  directory  to  look  for  finite  field  library 
declare  the  field  extension  GF(2) 
declare  the  field  extension  GF(2^2) 
declare  the  field  extension  GF(2^4) 
declare  the  field  extension  GF(2^8) 

open  the  outfile 
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set  the  variables  lowerField  //name  given  to  the  seeond  to  last  deelared 
extension  field  (GF(2^8)  in  this  ease) 

set  sizeOfField  //size  of  the  field  we  are  building  (65536  in  this  ease) 

set  multiplier  //multiplier  in  the  shift  register  (aka  eonstant  term  of  the 

primitive  polynomial  used  to  ereate  GF(2^16)) 

set  newX  to  0  //left  box  of  the  shift  register 

set  oldX  to  0  //temp  storage  for  left  box  of  the  shift  register 

set  newY  to  1  //right  box  of  the  shift  register 

set  oldY  to  1  //temp  storage  for  the  right  box  of  the  shift  register 

write  eontents  of  shift  register  to  outfile 

for(n=l,  n  <=  sizeOfField-2,  n++)  //ereate  all  elements  of  the  new  field 
exeept  0  and  1 
{ 

newX  =  oldX  +  oldY 
newY  =  oldX  *  multiplier 

use  library  to  simplify  newX  and  newY  in  the  lower  field  (GF(2^8)) 
set  oldX  to  newX 
set  oldY  to  newY 

write  eontents  of  shift  register  to  outfile 

if  the  eontents  of  the  shift  register  are  the  element  1,  then  stop  loop  early 

} 


elose  outfde 


B,  EXPONENTIAL  ALGORITHM  FOR  GALOIS  SHIFT  REGISTER 

The  Mathematiea  program  must  be  told  whieh  degree  2  polynomials  are  used  to 
build  the  fields  previous  to  the  eurrent  field  and  does  not  use  the  previous  shift  register 
results.  This  takes  a  lot  of  proeessing  time  and  requires  a  eonsiderable  amount  of  input 
from  the  user.  However,  there  is  another  algorithm  that  uses  Galois  shift  registers  to  build 
extension  fields — ^we  eall  the  Exponential  Algorithm  [9].  This  algorithm  does  not  need 
eomputational  algebra  software  and  ean  be  programmed  in  C++. 

1,  Exponential  Algorithm  Overview 

Let  a  be  a  primitive  element  in  GF(2”).  Suppose  f(x)  =  +x  +  a^  is  a  primitive 
polynomial  over  GF(2”).  Then,  use  fix)  to  generate  the  Galois  shift  register.  In  the 
Standard  Algorithm,  the  eontents  of  the  shift  register  will  be  elements  of  GF(2”),  and 
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therefore  ean  be  represented  as  either  «'  for  some  i  or  as  0.  In  the  Exponential 
Algorithm,  the  elements  of  the  shift  register  will  still  represent  «'  or  0,  but  will  be 
represented  by  just  the  exponent  /  or  *,  respectively.  (0  cannot  represent  the  number  zero 
because  0  in  this  case  represents  =  1 .)  Also  in  the  Exponential  Algorithm,  the 
operations  of  the  shift  register  are  modified  but  the  result  remains  the  same.  Eor  example, 
instead  of  new  SQ=a^»  old  ,  we  have  new  =  j+  old  (where  the  contents  of  5o  and 
denote  some  exponent  of  a‘).  This  follow  since  multiplication  of  two  numbers  with 
the  same  base  is  accomplished  by  simply  adding  exponents.  Also,  since  0»a‘  =  0 ,  *  +  /  is 
defined  to  be  *.  Eiguring  out  new  is  a  little  trickier.  In  the  Standard  Algorithm,  the 
equation  is  new  =  old  +  old  (mod  2)  .  However,  in  the  Exponential  Algorithm, 

new  =  old  ©  old  where  ©  is  a  new  operator  and  is  related  to  the  addition  (mod  2) 
operation  from  the  Standard  Algorithm.  By  definition,  *©z  is  equal  to  i  for  any 
0  <  z  <  2"  -  2  since  z  represents  powers  of  the  primitive  element  a  in  GE(2”).  Intuitively, 
this  has  to  do  with  the  fact  that  0  +  a‘=a'.  Along  these  lines,  z©z  =  *  since 
a‘  +a‘  =0  (mod 2).  And  *©*  =  *  since  0  +  0  =  0.  However,  for  z  and  k  not  equal  to 
each  other  and  for  neither  z  nor  k  equal  to  *,  determining  i@k  requires  information  from 
the  previously  defined  finite  field.  Note  that  if  a  is  a  primitive  element  of  GE(2”),  then 

for  a‘  in  GE(2”)  =  {0,a^ ,  it  must  be  the  case  that  0  <  z  <  2"  -2 .  So,  z  is  an 
element  of  the  additive  group  ^ . 

2.  Exponential  Algorithm — the  ©  Operator 

In  more  formal  terms,  to  determine  s@t  when  using  a  shift  register  to  build  the 
nonzero  elements  of  GE(2^”): 

1 .  If  5  =  t,  the  result  is  * . 

2.  If  5  =  *,  the  result  is  t. 

3.  If  t  =  *,  the  result  is  5. 

4.  At  this  point,  both  s  and  t  are  in  ,  s^t ,  and  neither  s  nor  t  are  equal 
to  *. 

i.  Retrieve  the  2  rows  that  represent  a'  and  a'  in  the  Galois  shift 
register  table  that  has  the  representations  of  all  nonzero  elements  of 
GE(2”). 
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ii.  Do  the  ©  operation  component-wise  on  the  2  rows  (i.e.,  the 
polynomial  representations  of  and  a‘).  (In  other  words,  return 
to  Step  1  for  each  pair.) 

iii.  This  results  in  a  new  row  that  represents  for  some  u  in  ^ . 
Return  this  result  u. 

3,  Exponential  Algorithm — ^An  Example 

Some  rules  of  the  operations  +  and  ©  to  remember  are: 


*  ©  /  =  /  z  ©  z  =  *  *  +  i  =  * 


Also,  the  rules  of  the  shift  register  for  the  Exponential  Algorithm  are: 


new  Sq=  j  +  old 

new  =  old  ©  old  Sq  (modulo  2") 
when  the  field  being  built  is  GF(2^"). 


For  example,  use  the  primitive  polynomials^)  =  +x  +  l  over  GF(2)  to  build 

2  2 
GF(2  ).  Fet  a  be  a  root  of  J[x)  and  an  element  of  GF(2  ).  The  Galois  shift  register 

generated  byS^)  in  the  Standard  Algorithm  is: 


Figure  6. 


Galois  Shift  Register  for  Standard  Algorithm  Generated  byS^) 


But  in  the  Exponential  Algorithm,  the  register  is: 
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Figure  7.  Galois  Shift  Register  for  Exponential  Algorithm  Generated  hyj{x) 

(Recall  that  1  =  a” .)  Initialize  the  register  created  for  the  Exponential  Algorithm 
with  a°,  which  is  denoted  by  *  0  in  the  shift  register  table.  (Recall  that  =  0»a  +  a°»l . 
And  the  number  0  is  denoted  by  *  and  a°  is  denoted  by  0.) 

Then,  after  the  first  step  of  the  register, 

new  5o  =  0  +  old  =  0  +  *  =  * 
new  =  old  ©  old  5^  =  *  ©  0  =  0. 

After  the  second  step, 

new =  0  +  old s'j  (mod2')  =  0  +  0  =  0 
new  5;  =  old  5;  ©  old  5^  =  0  ©  *  =  0. 

After  the  third  step, 

new  =  0  +  old  Sy  (mod  2')  =  0  +  0  =  0 
new  =  old  ©  old  5^  =  0  ©  0  =  *. 

The  resulting  Galois  shift  register  table  for  GE(2  )  is: 


a 

1 

0 

o' 

0 

a 

0 

0 

Table  8.  Nonzero  Elements  of  GE(2^)  Created  with  Galois  Shift  Register  and 

Exponential  Algorithm 
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2  2 

Next,  consider  the  polynomial  g(x)  =  x  +x  +  a  over  GF(2  ).  We  saw  g(x)  is 
primitive  and  that  we  can  use  it  to  build  GF(2"^).  Let  h  be  a  root  of  g{x)  and  an  element  of 
GF(2'^).  The  shift  register  that  g(x)  generates  for  the  Exponential  Algorithm  is: 


■<13 


Figure  8. 


Galois  Shift  Register  for  Exponential  Algorithm  Generated  by  g{x) 


After  initializing  the  shift  register  with  *  0,  the  first  3  rows  of  the  shift  register 
table  are: 


b  1 

6° 

*  0 

0  * 

0  1 

b^ 

Table  9.  Eirst  Three  Rows  of  Galois  Shift  Register  Table  for  GE(2'*) 

Then  after  the  third  step  of  the  shift  register, 

new  ^0=1  +  old  (mod  2^)  =  1  +  0  =  1 
new  =  old  ©  old  =  0  ©  1  =  ? 

In  order  to  determine  the  result  of  0  ©  1 ,  we  need  to  retrieve  the  rows  of  the 
previous  shift  register  table  that  represent  and  a\  These  are  *  0  and  0  *,  respectively. 

Next,  we  do  the  ©  operation  on  the  rows,  component- wise. 
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the  first  component  of  the  row  representing 
©  the  first  component  of  the  row  representing  a 

is  *©0  =  0.  This  will  be  the  first  component  of  the  row  we  look  for  after  doing  the  © 
operation  on  the  second  components  of  the  above  rows. 

the  second  component  of  the  row  representing 
©  the  second  component  of  the  row  representing  a' 

is  0  ©  *  =  0  . 

Thus,  we  look  for  the  row  whose  components  are  0  0  in  the  shift  register  table  for 

2  2 

GF(2  ).  The  row  representing  a  has  components  0  0.  So,  return  the  result  2.  Therefore, 
after  the  third  step  of  the  shift  register  generated  by  g(x),  we  have  2  1 . 

The  shift  register  continues  to  be  stepped  until  the  shift  register  table  is  complete. 

The  Exponential  Algorithm  can  still  be  used  with  irreducible  polynomials  that  are 
not  primitive.  However,  the  shift  register  then  will  only  create  a  portion  of  the  set  of 
nonzero  elements  of  the  extension  field. 


b  1 

*  0 

0  * 

b^ 

0  1 

b^ 

2  1 

b^ 

0  0 

b^ 

*  1 

b^ 

1  * 

b^ 

1  2 

00 

0  2 
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b  1 

1  1 

*  2 

2  * 

2  0 

b^^ 

1  0 

b^^ 

2  2 

Table  10.  Nonzero  Elements  of  GF(2"^)  ereated  with  Galois  Shift  Register  and 

Exponential  Algorithm 

C.  C++  PROGRAM  INSIGHTS 

Unlike  the  Mathematiea  program,  the  C++  program  uses  the  Exponential 
Algorithm  to  build  fields  using  Galois  shift  registers.  So,  the  C++  program  does  not  need 
to  do  eomputations  in  the  fields  and  runs  mueh  faster.  For  example,  data  was  gathered  on 
these  extension  fields  and  the  positions  of  previous  primitive  roots  within  those  fields 
with  the  Mathematiea  program  over  the  eourse  of  6  months.  With  the  C++  program,  we 
are  able  to  gather  about  8  times  as  mueh  data  in  less  than  4  minutes.  However,  the  C++ 
program  requires  information  from  the  previous  extension  fields,  and  uses  more  memory 
than  the  Mathematiea  program. 

Another  differenee  between  the  C++  program  and  the  Mathematiea  program  is  the 
way  irredueible  polynomials  of  the  form  +  x  +  «^  are  found.  In  the  C++  program,  we 
use  the  traee  of  the  element  to  find  irredueible  polynomials  of  the  form  +  x  +  «^ 
instead  of  the  method  used  in  the  Mathematiea  program.  The  traee  of  an  element  and  this 
method  is  explained  in  the  seetion  below. 

For  the  Mathematiea  program,  the  only  way  to  determine  if  the  irredueible 
polynomial  is  primitive  is  to  see  if  the  shift  register  generated  by  it  has  the  maximal 
period.  If  it  does  not,  then  the  polynomial  is  not  primitive.  The  C++  program  uses 
Theorem  3  from  the  Results  Chapter  to  quiekly  determine  if  an  irredueible  polynomial  of 
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the  form  +x  +  a^  is  primitive.  If  it  is  primitive,  then  the  shift  register  generated  by  the 
polynomial  is  run  using  the  Exponential  Algorithm. 

The  output  of  the  C++  program  is  a  text  file  listing  the  degree  2  polynomials  used 
to  build  the  fields  up  to  a  partieular  field  as  well  as  the  power  of  the  primitive  root  (of  the 
eurrent  field)  that  is  equal  to  the  primitive  roots  used  to  generate  the  previous  extension 
fields.  An  example  is  in  Appendix  C.  Onee  the  memory  problem  beeomes  too  great  to 
build  a  partieular  field  GF(2^”),  the  program  is  still  able  to  print  out  whieh  polynomials  of 
the  form  +x  +  a^  are  primitive  over  GF(2”)  sinee  only  information  about  fields  GF(2”) 
and  smaller  are  needed  to  determine  that. 

1,  Trace 

We  ean  use  the  traee  of  an  element  of  a  field  GF(2”)  to  determine  if  the 
polynomial  +  x  +  is  irredueible  over  that  field.  The  trace  is  defined  to  be  the  sum  of 
the  eonjugates  of  an  element  of  a  field.  In  the  Exponential  Algorithm  for  Galois  shift 
registers,  we  define  the  traee  speeifieally  as  the  ©  operation  performed  on  all  of  the  shift 
register  table  representations  of  the  eonjugates  of  [9].  If  the  traee  is  *  *  (e.g.,  the 
equivalent  of  the  number  “zero”  in  the  field),  then  the  polynomial  x^+x  +  «^  is 
redueible.  However,  if  the  result  is  *  0  (e.g.,  the  equivalent  of  the  number  “one”  in  the 
field),  then  the  polynomial  x^  +  x  +  «^  is  irredueible. 

2  4 

For  example,  eonsider  the  polynomial  x  +x  +  b  over  the  field  GF(2  )  where  b  is 
a  primitive  element  of  GF(2"^).  We  want  to  determine  if  the  polynomial  is  irredueible  over 
this  field.  The  traee  of  b^  is  h'  +h^  +/>''  +h* .  So,  we  retrieve  the  eorresponding  rows  from 
Table  3  above  and  get  the  equation; 

0  * 

0  1 
00 

©  02 
*  * 

The  result  is  *  *,  so  the  polynomial  is  redueible  over  GF(2"^). 
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Now  consider  the  polynomial  x^+x  +  h^  over  GF(2"^).  The  traee  of  is 
.  Retrieving  the  appropriate  rows  from  Table  3,  we  get  the  equation: 

1  2 
22 
1  0 
©  2  * 

*  0 

The  result  is  *  0,  so  the  polynomial  is  irreducible  over  GF(2"^). 

2,  C++  Program  Pseudocode 

The  pseudoeode  for  the  C++  Program  that  iteratively  builds  the  fields  GF(2"^)  up 
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to  GF(2  )  is  below  and  the  actual  code  is  in  Appendix  D. 


Define  a  galois  table  structure  that  will  hold  info  about  each  extension 
field  built.  This  strueture  will  inelude  the  Galois  shift  register  table. 

Define  the  variable  STAR  to  be  the  largest  unsigned  integer  the  epu  ean 
handle. 

Initialize  the  register  (which  is  just  2  integers)  to  STAR  0. 

Start  with  a  primitive  polynomial  of  the  form  x^+x  +  «^  over  the  field 
GF(2"^)  (since  we  know  the  only  two  ehoiees). 

Loop  until  GF(2^^): 

{ 

Loop  until  out  of  primitive  polynomials  for  the  field: 

{ 

Build  the  shift  register  table  for  the  next  extension  field 
using  the  Exponential  Algorithm  and  the  next  primitive  polynomial  in  the 
list. 

When  you  see  the  previous  primitive  root  during  this 
proeedure  (looks  like  0  STAR  in  the  shift  register  table),  note  the  power  of 
the  current  primitive  root  it  is  equal  to. 

Determine  which  polynomials  of  the  form  x^+x  +  «^  are 
irreducible  over  the  current  field  by  using  the  traee  of  the  eonstant 
eoefficient. 

Use  Theorem  2  from  the  Results  Chapter  to  make  a  list  of 
whieh  of  those  irredueible  polynomials  are  primitive. 

} 

} 
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IV.  RESULTS 


The  results  of  this  work  inelude  two  programs,  eharts  detailing  the  extension 
fields  and  primitive  roots,  as  well  as  some  insight  into  the  field  that  AES  S-box 
eomputations  are  eomputed  over. 

A.  CHARTS 

The  eharts  in  Appendix  E  are  a  visualization  of  the  loeation  of  previous  primitive 
roots  in  extension  fields  from  GE(2  )  to  GE(2  ).  Eaeh  box  represents  a  separate 
extension  field.  Within  eaeh  box  is  listed  the  polynomial  used  to  ereate  that  extension  and 
the  power  of  the  root  of  that  polynomial  which  is  equal  to  each  root  of  the  polynomials 
used  to  create  each  of  the  previous  extension  fields. 

The  polynomial y(x)  =x^  +x  +  l  is  irreducible  over  GE(2).  Eet  a  be  a  root  of  that 
polynomial.  Use  the  polynomial  to  create  the  field  GE(2  )  =  {0,l,a,a  +  l} .  As  shown  in 

Chapter  II,  x^  +x  + a  is  irreducible  over  GE(2^).  Eet  b  be  the  root  of  x^  +x  + a.  We 
create  the  field  GE(2  )  with  the  primitive  polynomial  x  +x  +  a  over  GE(2  ).  In  this  case, 
a  is  our  only  previous  primitive  root,  so  we  note  which  power  of  b  is  equal  to  the  root  a 
in  the  box  {b^  =a). 

Note  that  the  vertical  lines  extending  from  box  to  box  designate  which  fields  the 
extension  fields  are  built  upon.  Also,  boxes  that  use  the  same  color  indicate  that  the 
constant  coefficients  of  the  primitive  polynomials  used  to  build  those  fields  are  in  the 
same  conjugacy  class.  The  field  extensions  that  the  primitive  polynomials  are  used  to 
create  are  indicated  in  the  left  margin. 

B,  THEOREMS 

We  restrict  the  choice  of  polynomial  to  build  the  extension  field  to  be  of  the  form 
x^+x  +  a‘  or  x^+«'x  +  l,  as  indicated  in  Chapter  I.  The  AES  polynomial  is 
x^  +  x"^  +  x^  +  X  +  1 ,  and  the  field  it  creates  cannot  be  realized  as  an  extension  field  if  we 
only  use  polynomials  of  the  above  forms. 

Theorem  1 ;  The  field  that  the  AES  S-Boxes  are  implemented  in  cannot  be  built 
with  degree  two  extensions  of  the  form  x^  +x  + a'  or  +  a'x  + 1 . 
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Proof: 

The  AES  polynomial,  +x^  +x’  +x  +  \,  is  not  primitive,  of  period  5 1 .  The  only 
polynomial  which  is  primitive  of  degree  2  over  GF(2)  to  create  GF(2  )  is  x  +  x  + 1 ,  as  we 
showed  in  Chapter  IT  Then  the  only  polynomial  we  can  use  to  create  GF(2"^)  of  our  form 
is  x^  +X  + a  where  a  is  a  root  of  x^  +  x  + 1 .  (Any  other  choice  of  polynomial  is 

o 

isomorphic  to  this  choice.)  To  create  a  field  of  2  elements  we  have  a  choice  of 
x+x  +  Z)  orx+x  +  Z),  where  is  a  root  of  x  +  x  +  a .  However,  x  +  x  +  6  is 
irreducible  but  of  period  85.  (This  can  be  shown  with  Conway’s  method  [2].)  So,  it  is  not 
primitive.  The  conjugates  of  —  yield  the  same  results,  as  we  discussed  in 

Chapter  II.  Choosing  x^  +  x  +  Z>’  results  in  a  primitive  polynomial  of  period  255  as  do  the 
conjugates  of  b^ — .  All  other  choices  of  the  polynomial  x^+x  +  A  are 
reducible  for  /  =  0,  1,2,  4,  5,  8,  and  10. 

Next,  consider  using  polynomials  of  the  formx  +Z>'x  +  1  to  build  the  field  GF(2  ) 
from  GF(2"^)  where  b  is  an  element  of  GF(2"^).  The  polynomial  is  only  irreducible  when 
z  =  1  or  z  =  3 .  In  each  case,  the  polynomial  is  not  primitive,  with  period  17.  Therefore, 
the  degree  2  polynomial  that  builds  the  exact  same  field  as  the  AES  polynomial  must  be 
of  the  form  x^  +  b‘x  +  b^  with  neither  b‘  =\  nor  Zz^  =  1 .  □ 

Incidentally,  one  can  use  Magma  to  show  that  x*  +  x"*  +  x^  +  x  + 1  builds  the  same 
exact  field — GF(2*)  — from  GF(2)  as  x^  +Zzx  +  Zz^  will  build  from  GF(2"^).  An  example  of 
the  Magma  commands  [10]  used  to  show  this  is  below. 


k  :=  GF(256); 

P<x>  :=  PolynomialRing(k); 
a  :=  Roots(x^2+x+l)[l][l]; 
b  :=  Roots(x^2+x+a)[l][l]; 
c  :=  Roots(x^2+b*x+b^5)[l][l]; 
aes  :=  Roots(x^8+xM+x^3+x+l); 
c  in  [r[l]  ;  r  in  aes}; 

S51  :=  [i;  i  ink  |  C51  eq  1]; 
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Note  further  that  x*  +  x®  +  + 1  builds  the  same  field  as  x^  +  x  +  . 


One  of  the  first  things  we  want  to  determine  is  if  a  polynomial  of  the  form 
x^  +  X  +  «'  is  primitive  over  a  particular  field.  It  turns  out  that  in  creating  the  field  with 
the  Galois  shift  register  using  the  exponent  algorithm,  a  pattern  emerges  from  the 
elements  of  the  table.  This  pattern  is  directly  related  to  the  coefficients  of  the  polynomial. 
We  can  use  this  pattern  to  determine  the  period  of  the  polynomial  without  running  the 
whole  shift  register.  In  fact,  if  a  polynomial  is  of  the  form  x^  +a'x  +  a^ ,  we  do  not  need 
to  run  the  shift  register  at  all. 

For  example,  we  use  x^  +  x  + 1  to  build  GF(2^).  Let  a  be  a  root  of  x^  +  x  + 1 .  Then 
+  a  +  1  =  0  .  Recall  that  in  the  table  of  nonzero  field  elements,  *  refers  to  the  number 
zero  and  the  integers  refer  to  the  power  of  1  (a  primitive  element  in  the  field  GF(2  ' )  = 
GF(2)).  For  example,  0  in  the  table  represents  1°  =  1 .  Also,  the  rows  represent  linear 
combinations  of  a  and  1.  For  instance,  *  0  in  the  row  represents  0»a  +  l°»l  =  l.  This 
makes  sense  because  =  1 .  For  our  table  of  nonzero  field  elements,  we  then  get; 


a 

1 

0 

a 

0 

1 

a 

0 

2 

a 

0 

0 

2 

Table  11.  Nonzero  Elements  of  GF(2  )  created  with  Galois  Shift  Register 

The  tables  of  nonzero  field  elements  created  with  Galois  Shift  registers  are  explained  in 
Chapter  II. 

2  4  2 

Now,  use  X  +x  +  a  to  build  GF(2  )  as  an  extension  of  GF(2  ).  Let  h  be  a  root 
ofx^  +x  +  a  .  Then  +b  +  a  =  0 .  Since  a  is  the  primitive  element  in  the  field  that  we 
built  GF(2"^)  from,  the  integers  in  the  table  refer  to  powers  of  a.  For  example,  0  in  the 
table  really  represents  =  1 ,  1  represents  =  a,  and  2  represents  a^(=  a  + 1)  .  As  in  the 
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other  tables,  *  refers  to  the  number  zero.  Also,  the  rows  represent  linear  eombinations  of 
b  and  1.  For  instanee,  *  0  in  the  row  represents  0»h  +  a°»l  =  l.  This  makes  sense 
beeause  =  1 .  The  table  of  nonzero  field  elements  looks  like: 


b  1 

*  0 

h' 

0  * 

b^ 

0  1 

b^ 

2  1 

b^ 

0  0 

b^ 

*  1 

b^ 

1  * 

b^ 

1  2 

b^ 

0  2 

b^ 

1  1 

*  2 

b^^ 

2  * 

b^^ 

2  0 

b^^ 

1  0 

b^^ 

2  2 

Table  12.  Nonzero  Elements  of  GF(2"^)  ereated  with  Galois  Shift  Register 

Note  that  a  pattern  ean  be  observed  aeross  the  rows  when  we  eut  the  table  into 
sections.  For  instance,  to  get  from  b^  to  b^  to  one  only  needs  to  add  1  1  to  the  entries 
in  the  table,  i.e.,  we  multiply  by  b^  by  adding  the  powers. 
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b 

1 

b 

1 

b 

1 

* 

0 

b^ 

* 

1 

* 

2 

b^ 

0 

b^ 

1 

2 

* 

b^ 

0 

1 

b^ 

1 

2 

b^^ 

2 

0 

b^ 

2 

1 

b^ 

0 

2 

b^^ 

1 

0 

b^ 

0 

0 

b^ 

1 

1 

b^^ 

2 

2 

Table  13.  Rearranged  Nonzero  Elements  of  GF(2"^)  Created  with  Galois  Shift  Register 


In  general,  we  are  building  extension  fields  using  degree  2  polynomials,  i.e., 
quadratic  extensions.  If  we  let  (3  be  one  root  of  the  irreducible  polynomial 

/(x)  =  x^  +a‘x  +  a^  over  GF(2”),  we  know  there  is  only  one  other  root.  Call  this  other 
root  Then,  /(x)  =  (x  +  y0)(x  +  y0*)  =  x^ +(y0  +  y0^)x  +  y0*^' .  Therefore,  =  «^  and 
(3  +  P’"  =  a' .  If  we  assume  we  are  building  the  fields  using  the  exponential  algorithm 
explained  in  Chapter  III,  this  means  that  the  row  representing  y0*  will  look  like  0  0. 


Interestingly,  it  turns  out  the  root  [3^  is  actually  [3^  as  shown  in  the  following 

lemma. 

Femma  1:  Fet  /(x)  =  x^+ax  +  c  be  irreducible  over  GF(2”).  Fet  y0  be  a  root. 
Then  the  other  root  ofX-^)  is  y9^  [3]. 

Proof: 


[/(x)]  =[x^+ax  +  cj 
=  (^x^^  +{^axf 


+  since  all  cross  terms  are  even  and  are  =  0  mod  2 


2.2"  ,  2"  2"  ,  2" 

=  x  +a  X  +c 

=  x^'^  +  ax^  +  c  since  all  the  elements  of  the  field  GF(2” )  satisfy  =b 


=  x^  +  ax^  +c  = 


^x^  j  +a^x^  j  +  c  =  /^x^  j 
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Since  /(y9)  =  0 ,  we  get  j  =  0  .  So,  is  also  a  root  ofy(-^).  □ 

Note  that  in  GF(2^”),  so  (5^  is  distinct  from  [5  in  GF(2^”)  if  n  >  0  . 

Therefore,  if  we  let  / (x)  =  x^  +  a‘x  +  be  an  irredueible  polynomial  over 

GF(2”)  and  be  a  root,  then  ff'  is  also  a  root  oij{x).  Note  that  we  will  use^-^)  to  build 
GF(2^”)  if  this  polynomial  is  also  primitive. 

Theorem  2:  The  order  of  an  irredueible  polynomial  / (x)  =  x^  +  a'x  +  over 
GF(2”)  is  equal  to  the  order  of  the  element  j  in  the  additive  group  ^  • 

Proof: 

Reeall  from  our  eomments  above  that  =  ff  .  So,  ff'  is  represented  by  *  j 
in  the  shift  register  table.  Sinee  ={a^f'  So,  the  entry  for 

p{2  +1)2  -g  ^  2j  in  the  table.  Similarly,  the  entry  for  is  *  kj  (mod  2”  -  1  because 

these  numbers  represent  powers  of  a  primitive  element  in  GF(2”)  ).  □ 

Theorem  3:  If  f{x)  =  x^+a'x  +  a^  is  irredueible  over  GF(2”)  and  f  in  GF(2^”) 
is  a  root,  then  the  other  root,  ,  is  represented  as  0  i  in  the  Galois  shift  register  table 
Proof: 

Sinee  (3  and  ff  are  roots  of  fx),  fix)  =  (x  +  y9)(x  +  )  which  equals 

x^  +  (y0  +  [3^  )x  +  /3^  So,  a‘  =  (3 -¥  and  .  Sinee  a‘  =  P  +  ,  then 

=a‘  +  P  .  We  know  P  is  represented  by  0  *  in  the  Galois  shift  register  table  when 
using  the  exponent  algorithm.  So, 

P  +  a'  =  0  * 

©  *_J_. 

0  i 

Therefore,  P^  is  represented  as  0  i  in  the  Galois  shift  register  table.  □ 
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Using  the  second  program  described  in  Chapter  III,  it  is  simple  to  determine 
which  polynomials  of  the  form  +x  + a'  are  primitive  over  GF(2^^)  and  can  be  used  to 
build  GF(2'’^). 

C.  CONCLUSIONS 

The  results  of  this  work  are  the  first  steps  towards  a  full  understanding  of  the  field 

g 

that  AES  computation  occurs  in — GF(2  ).  The  charts  created  with  the  data  from  the  C++ 
program  detail  which  power  of  the  current  primitive  root  is  equal  to  previous  primitive 
roots  for  fields  up  through  GF(2^^)  created  by  polynomials  of  the  form  x^  +x  +  a‘  for  a 
primitive  element  a .  Currently,  the  C++  program  will  also  provide  all  the  primitive 
polynomials  of  the  form  +  x  +  «'  for  a  primitive  element  a  over  the  fields  through 
GF(2  ).  This  work  also  led  to  a  deeper  understanding  of  certain  elements  of  a  field  and 
their  equivalent  shift  register  state  when  using  the  Exponential  Algorithm.  In  addition, 
given  an  irreducible  polynomial  /(x)  =  x^ +«'x  +  «^  over  GE(2”),  the  period  (and 
therefore  the  primitivity)  can  be  determined  without  running  the  shift  register  generated 
by/x). 
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V.  FUTURE  WORK 


There  are  still  unanswered  questions  left  to  explore  when  it  eomes  to 
understanding  the  field — GF(2^) — that  AES  relies  on. 

A,  OTHER  ALGORITHMS 

While  being  able  to  build  the  fields  with  shift  registers  and  program  this  method 
saved  a  lot  of  time,  we  still  ran  into  some  stumbling  bloeks.  The  Mathematica  program 
using  the  Standard  Algorithm  did  not  need  to  store  much  in  memory,  but  it  took  a  long 
time  to  do  its  computations.  On  the  other  hand,  the  C++  program  using  the  Exponential 
Algorithm  needed  a  lot  of  memory  but  very  little  run  time.  Perhaps  there  is  a  different 
algorithm  that  is  more  in  the  middle  of  the  resource  spectrum — one  that  can  build  these 
fields  quickly  with  shift  registers  but  does  not  require  as  much  memory  as  the 
Exponential  Algorithm.  Or  maybe  there  is  a  better  way  to  design  the  C++  program  while 
still  using  the  Exponential  Algorithm. 

B,  AES  AND  POLYNOMIALS  OF  THE  FORM  x"  +  x  +  «' 

In  his  paper  [1],  Canright  explored  building  extensions  fields  with  polynomials  of 
the  form  x^  +«x  +  y0  over  GE(2”)  where  a  and  P  are  elements  of  GE(2”)  and  where  one 
of  the  a  ox  (3  (but  not  both)  are  equal  to  1 .  With  polynomials  of  this  form,  he  is  able  to 
create  an  implementation  of  an  S-box  that  is  16%  smaller  than  the  previous  most  efficient 
implementation.  By  modifying  the  implementation  of  AES  using  polynomials  of  the  form 
+X  + a'  where  a  is  a  primitive  element,  can  an  implementation  that  is  more  efficient 
than  Canright’ s  be  found? 

In  addition  to  determining  if  using  polynomials  of  the  form  x^  +  x  +  «'  to  build 

o 

GE(2  )  makes  the  AES  implementation  more  efficient,  there  are  also  other  questions 
regarding  polynomials  of  the  form  x^+x  +  a'  and  AES.  Eor  example,  would  using 
polynomials  of  this  form  to  implement  AES  have  the  adverse  effect  of  weakening  the 
AES  algorithm  in  some  way? 

The  relationship  between  the  roots  of  these  polynomials,  the  constant  coefficients 
of  these  polynomials,  and  the  AES  S-boxes  needs  more  investigation. 
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C.  MATHEMATICS  AND  POLYNOMIALS  OF  THE  FORM  x"+x  +  a‘ 

Besides  asking  questions  regarding  these  polynomials  and  AES,  there  are  also 
interesting  mathematical  questions.  Specifically,  is  there  a  relationship  among  the  powers 
of  the  primitive  roots  used  to  generate  the  coefficients  of  each  polynomial  x^  +  x  +  a'  that 
are,  in  turn,  used  to  build  the  field  extensions?  Can  we  predict  what  polynomials  will  be 
primitive?  Also,  can  one  continue  the  field  extensions  forever  using  only  polynomials  of 
the  form  x^  +x  + a'  for  some  primitive  element  a?  An  argument  can  be  made  using 
counting  ideas  to  indicate  that  this  is  probably  possible.  It  would  be  very  nice  to  be  able 
to  predict  their  form. 
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APPENDIX  A.  ONE  PAGE  OF  MATHEMATICA  PROGRAM 

OUTPUT  EXAMPLE 


Appendix  A  is  a  one-page  example  of  the  output  generated  by  the  Mathematiea 
program  in  Appendix  B.  The  output  shows  the  power  of  the  root  of  the  polynomial  that 
generates  the  shift  register  followed  by  the  eontents  of  the  storage  elements  of  the  shift 
register  separated  by  a  eomma. 


DO  0,  1 

D1  1,  0 

D2  1,  l  +  a  +  b+(l  +  a  +  ab)c 

D3  a  +  b+(l  +  a  +  ab)c,  l  +  a  +  b+(l  +  a  +  ab)c 
D4  1,  1+a+ab+bc 

D5  a  +  ab  +  bc,  l  +  a  +  b+(l  +  a  +  ab)c 

D6  1  +  (1  +  a)  b  +  (1  +  a  +  (1  +  a)  b)  c,  1  +  a  +  b  +  (1  +  a  b)  c 

D7  a  +  ab+(a  +  b)c,  l  +  a  +  ab+(a  +  b)c 

D8  1,  a  +  (1  +  (1  +  a)  b)  c 

D9  1  +  a  +  (1  +  (1  +  a)  b)  c,  1  +  a  +  b  +  (1  +  a  +  a  b)  c 

DIO  b  +  (a  +  b)  c,  a  +  c 

Dll  a  +  b  +  (1  +  a  +  b)  c,  a  +  (1  +  a)  b  +  (a  +  (1  +  a)  b)  c 

D12  a  b  +  (1  +  a  b)  c,  a  b  +  (1  +  a  +  (1  +  a)  b)  c 

D13  (a  +  b)  c,  a  +  (1  +  a)  c 

D14  a  +  (1  +  b)  c,  b  +  (1  +  a  b)  c 

D15  a  +  b+  (1  +  a)  be,  l  +  a  +  b+  (1  +  a)  be 

D16  1,  e 

D17  1+e,  l+a+b+  (1+a+ab)  e 

D18  a  +  b+  (a  +  ab)  e,  ab  +  (1  +  a  +  b)  e 

D19  a  +  (1  +  a)  b  +  (1  +  (1  +  a)  b)  e,  b  +  a  b  e 

D20  a  +  a  b  +  (1  +  b)  e,  b  e 

D21  a+ab+e,  ab+  (1+b)  e 

D22  a+be,  1+ab+abe 

D23  l+a+ab+  (1+a)  be,  ab 

D24  l  +  a+  (1  +  a)  be,  a  +  be 

D25  1  +  a  b  e,  1  +  (1  +  a)  b  +  (1  +  (1  +  a)  b)  e 

D26  (1  +  a)  b  +  (1+b)  e,  1  +  b  +  (1  +  (1  +  a)  b)  e 

D27  1  +  ab  +  abe,  l  +  a  +  ab  +  (l  +  a+  (1  +  a)  b)  e 

D28  a  +  (1  +  a  +  b)  e,  a  +  ab  +  be 

D29  ab+  (1+a)  e,  a+abe 

D30  a+ab+  (1+a+ab)  e,  1+b+e 

D31  1  +  a  +  (1  +  a)  b  +  (a  +  ab)  e,  a  +  (1  +  a)  b  +  (a  +  ab)  e 

D32  1,  ( 1  +  a)  b  +  (a  +  a  b)  e 

D33  1+  (1  +  a)  b  +  (a  +  ab)  e,  l  +  a  +  b+  (1  +  a  +  ab)  e 

D34  a+ab+e,  l+b+  (1+a+b)  e 

D35  l  +  a+  (1  +  a)  b  +  (a  +  b)  e,  1  +  ab  +  abe 

D36  a  +  b  +  (a  +  (1  +  a)  b)  e,  1  +  a  +  (1  +  a)  b  +  e 

D37  1  +  a  b  +  (1  +  a  +  (1  +  a)  b)  e,  1  +  b  +  (1+b)  e 

D38  (1  +  a)  b  +  (a  +  ab)  e,  1  +  e 

D39  1  +  (1  +  a)  b  +  (1  +  a  +  ab)  e,  a  +  (1  +  a)  be 

D40  l  +  a+  (1  +  a)  b  +  (1  +  a  +  b)  e,  a  +  ab  +  (1  +  a  +  ab)  e 

D41  1  +  b  +  (1  +  a)  b  e,  (1  +  (1  +  a)  b)  e 
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APPENDIX  B.  MATHEMATICA  PROGRAM  CODE 


Appendix  B  is  the  Mathematiea  eode  for  ereating  the  elements  of  GF(2^^)  using  a 
Galois  shift  register  generated  by  +x  +  for  c  in  GF(2^). 


SetDireotory["C:\\Doouments  and  SettingsWjodyWDesktopWthesis"]; 
«  AlgFields.txt 

(* ClearAll[fieldT able,  irredT able] ; *) 

FDeelareF  initeF  ield[GF2,2] ; 
FDeelareExtensionField[GF4,GF2,{a^2+a+l}]; 
FDeelareExtensionField[GF16,  GE4,  {b^2+b+a}]; 
EDeelareExtensionEield[GE256,  GE16,  {e^2+e+b^7}]; 
EDeelareExtensionEield[GE65536,  GE256,  {d^2+d+e^21}]; 

(*things  you  need  to  change  each  time*) 

outEile  =  OpenWrite["GE65535poly21.txt"]; 

xtnEield  =  GE65536; 

lowerEield  =  GE256; 

sizeOfField  =  65536; 

multiplier  =  c^21; 

newTerm  =  d; 

newX  =0; 
oldX  =0; 
newY  =1; 
oldY=l; 


Print[newTerm,  "0  ",newX,",  ",  newY]; 
WriteString[outEile,"DO  ",newX,",  ",  newY,  "\n"]; 

Eor[n=l,  n<sizeOfField-2,  n++, 
newX=oldX+oldY ; 
newY  =  oldX  *  multiplier; 
newX  =  ESimplifyE[newX,  lowerEield]; 
newY  =  ESimplifyE[newY,  lowerEield]; 
oldX=newX; 
oldY=newY ; 

(*Print[newTerm,  n,"  ",newX,",  ",newY];*) 
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WriteString[outFile,  "D",  n,"  ",newX,",  ",newY,  "\n"]; 

] 

Close[outFile]; 
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APPENDIX  C.  ONE  PAGE  OF  C++  PROGRAM  OUTPUT 

EXAMPLE 


Appendix  C  is  a  one-page  example  of  the  output  generated  by  the  C++  program  in 
Appendix  D.  The  output  states  the  primitive  polynomials  used  to  build  eaeh  field  up  to 
that  point  and  also  whieh  power  of  the  eurrent  primitive  root  is  equal  to  previous 
primitive  roots.  For  example,  consider  the  polynomial  x  +x  +  a  over  GF(2  )  where  a  is 
an  element  of  GF(2^).  Suppose  h  is  a  root  of  the  polynomial.  Then,  in  GF(2"^),  =  a  An 

the  output  of  the  program,  this  is  worded  as  “position  of  root  from  degree  4  extension  is: 
5”. 


STAR  is  ffffffff 
Building  GF4 . . 

building  GF16  with  x^2+x+a^l 

position  of  root  from  degree  4  extension  is:  5 

GF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+a^l.  GF256  built  with 

x^2+x+b^7 

position  of  root  from  degree  8  extension  is:  221 

position  of  root  from  degree  4  extension  is:  85 

GF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+a^l.  GF256  built  with 

x^2+x+b^7.  GF2tol6  built  with  x^2+x+c^ll. 

position  of  root  from  degree  16  extension  is:  29812 

position  of  root  from  degree  8  extension  is:  34952 

position  of  root  from  degree  4  extension  is:  43690 

GF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+a^l.  GF256  built  with 

x^2+x+b^7.  GF2tol6  built  with  x^2+x+c^22. 

position  of  root  from  degree  16  extension  is:  14906 

position  of  root  from  degree  8  extension  is:  17476 

position  of  root  from  degree  4  extension  is:  21845 

GF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+a^l.  GF256  built  with 

x^2+x+b^7.  GF2tol6  built  with  x^2+x+c^44. 

position  of  root  from  degree  16  extension  is:  7453 

position  of  root  from  degree  8  extension  is:  8738 

position  of  root  from  degree  4  extension  is:  43690 

GF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+a^l.  GF256  built  with 

x^2+x+b^7.  GF2tol6  built  with  x^2+x+c^88. 

position  of  root  from  degree  16  extension  is:  36494 

position  of  root  from  degree  8  extension  is:  4369 

position  of  root  from  degree  4  extension  is:  21845 
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APPENDIX  D.  C++  PROGRAM  CODE 


Appendix  C  contains  the  C++  program  that  builds  fields  using  Galois  shift 
registers  with  the  Exponential  Algorithm.  It  also  is  capable  of  finding  primitive 
polynomials  of  the  form  +  x  +  a‘  for  a  primitive  element  a  over  these  fields. 


/*Jody  Radowicz 
Masters  Thesis,  2006 

This  program  iteratively  goes  through  all  of  the  extension  fields  over 
GF2  through  GF(2^16)  and  prints  out  the  primitive  polynomials  used  to 
build  the  extensions  as  well  as  which  power  of  the  current  root  is 
equal  to  each  previous  root.  It  also  reports  which  polynomials  are 
reducible  as  well  as  the  irreducible  but  imprimitive  polynomials  with 
their  periods. 

***Note***:  This  program  currently  only  ever  considers  polynomials  of 
the  form  x^2+x+constant 
*/ 

#include  <stdio.h> 

#include  <stdlib.h> 

#include  <sys/types . h> 

#include  <limits.h> 

#include  <math.h> 

#include  <vector> 
using  namespace  std; 


typedef  u_int32_t  int_type;  //a 
depending  on  the  computer 
typedef  vector<int_type>  NumVector; 
of  the  primitive  polynomials  of  the 
field 


definition  of  the  largest  int, 

//holds  the  constant  coefficients 
form  x^2+x+root^i  over  the  current 


typedef  struct  galois_table_struct  //struct  that  holds  information 
about  a  particular  field 
{ 

int_type  **curr; //pointer  to  a  pointer  to  the  current  field 
struct  galois_table_struct  *prev; / /pointer  to  the  struct  that 
holds  info  about  the  field  that  the  current  field  is  extended  from 

struct  galois_table_struct  *next ; //pointer  to  the  struct  that 
holds  info  about  the  extension  field  built  from  this  field 

int  field_size;  //size  of  table  that  holds  the  possible  contents 
of  the  shift  register  +  1,  also  happens  to  be  the  size  of  the  field 
int  extn_degree; //degree  of  the  extension  field  over  GF2 
int  prev_f ield_size; //size  of  previous  extension  field 
int_type  root_position; //position  in  the  table  created  with  the 
Galois  shift  register  of  the  root  of  the  primitive  poly  used  to  create 
previous  field  (means  new_root^root_position  =  old_root) 

char  root_name ; //used  to  keep  track  of  root  name  for  printing 
purposes 

}  galois_table; 
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int_type  STAR  =  UINT_MAX; / /STAR  is  a  constant  int  that  is  treated 
differently  when  it  comes  to  multiplication  and  addition.  It  actually 
represents  the  number  zero  while  the  other  numbers  all  represent  the 
exponent  i  on  the  number  root^i  when  it  comes  to  the  contents  of  the 
shift  registers 

int_type  curr_left_reg  =STAR;//the  left  register  of  the  Galois  shift 
register 

int_type  old_left_reg  =  STAR; //a  temp  holder  for  the  left  register 
int_type  curr_rt_reg  =  0;//the  right  register  of  the  Galoid  shift 
register 

int_type  old_rt_reg  =  0;//a  temp  holder  for  the  right  register 

//declare  one  instance  for  each  type  of  table  since  we  will  only  need 

one  table  for  each  extension  at  a  time 

galois_table  GF4_table; 

galois_table  GF16_table; 

galois_table  GF256_table; 

galois_table  GF2tol6_table; 

/ /galois_table  GF2to32_table; 

int_type  sanity_check_num  =  0;  //number  of  bits  of  machine  -  1,  meant 
to  avoid  overflow  when  adding  large  numbers 

void  print_table  (galois_table  t)  ;  //prints  the  table  created  from  the 
Galois  register,  which  holds  the  elements  of  the  extension  field  whose 
galois_table  struct  gets  passed  to  it 

void  build_extn_f ield (galois_table  &t,  int_type  multiplier ); //builds 
the  extension  field,  using  a  polynomial  of  the  form 
x^ 2 +x+root ^multiplier 

void  build_table_memory 0; //builds  table  memory 

NumVector  coset_trace (galois_table  table) ; //determines  the  trace  of  the 
constant  coefficients  of  polynomials  and  returns  a  vector  of  primitive 
polynomials'  constant  coefficients  with  which  to  build  the  next 
extension  field.  The  trace  s  used  to  determine  if  hte  polynomial  is 
reducible  or  not. 

int_type  check_order ( int_type  number,  galois_table  table);  //returns 
the  order  of  number  in  the  given  Galois  field.  When  passed  a  constant 
coefficient,  we  can  determine  if  the  corresponding  irreducible 
polynomial  is  primitive  or  not  by  checking  the  coefficient's  order  in 
the  previous  Galois  field. 

void  calc_roots (galois_table  table,  int_type  top_f ield_size,  int_type 
prev_root_pos,  int_type  times) ; //prints  where  all  of  the  previous  roots 
occur  in  a  given  field.  top_f ield_size  the  is  the  size  of  the  highest 
extension  field,  times  is  the  degree  of  the  highest  extension  field 
over  GF2  and  helps  the  function  determine  how  many  roots  it  needs  to 
look  for. 

lnt_type  high_bit_pos (int_type  number);  //returns  the  number  of  the 
highest  bit  position  (start  counting  with  0) 

//struct  //used  for  command  line  arguments 

//{ 

//  int_type  size_of_f ield; 

//}  global_cfg; 

void  usage  0  //prints  the  form  of  the  command  used  to  run  the  program 

{ 
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printf ( " . /iter_f ields  \n"); 

} 

void  parse_args ( int  argc,  char  **argv)  //parses  command  line  arguments, 
if  there  are  any 
{ 

if  (argc  !=  1) 
usage ( ) ; 

//  else 

//  global_cf g . size_of_f ield  =  atoi (argv [ 1 ] ) ; 

// — Sanity  checking  arguments 
//  if  (global_cf g . size_of_f ield  !=  16) 

//  { 

//  printf ( "parse_args :: Error !  Size  should  be  16. \n"); 

//  exit  (0) ; 

//  } 

//  printf ( "Doing  run  with  field  size:  %d\n", 

global_cf g . size_of_f ield) ; 

} 

void  dump_regs (galois_table  table,  int  row)  //puts  the  register 
contents  into  a  particular  field's  table.  Used  when  building  the  tables 
that  hold  the  elements  of  a  particular  field. 

{ 

table . curr [ row] [0]  =  curr_left_reg; 
table . curr [ row] [1]  =  curr_rt_reg; 

} 

void  reset_regs 0 //resets  the  registers  to  the  starting  state 

{ 

curr_lef t_reg  =  old_left_reg  =  STAR; 
curr_rt_reg  =  old_rt_reg  =  0; 

} 


void  build_table_memory 0/ /builds  tables,  makes  sure  there  is  enough 
memory.  Fills  in  some  of  the  galois_table  struct 's  elements  that  are 
common  to  a  particular  extension  degree.  Only  done  once  at  the 
beginning  of  the  program. 

{ 


GF4_table . curr  = 

GFl 6_table . curr  = 

GF256_table . curr  = 
GF2tol 6_table . curr  = 
//GF2to32_table . curr  = 


new  int_type* [ 3 ] ; 

new  int_type* [ 15]  ; 

new  int_type* [255]  ; 

new  int_type* [ 65535 ]  ; 

new  int_type* [4294967295]  ; 


if  (  ( ! GF4_table . curr )  |  |  (! GFl 6_table . curr )  |  |  (  ! GF256_table . curr)  |  | 

(  ! GF2tol6_table . curr)  /*  |  |  ( ! GF2to32_table . curr )  */  ) 

{ 

fprintf (stderr,  "Error  allocating  initial  dimension  of  table 
memory.  exitingVn"); 
exit ( 0 ) ; 

} 
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for  (int  i  =  0;  i  <  3;  i++) 

{ 

GF4_table . curr [ i ]  =  new  int_type[2]; 
if  (GF4_table . curr [ i ]  ==  NULL) 

{ 

printf ( "Error  allocating  sub-array  in  GF4 .  i  =  %d 
exitingVn",  i) ; 

exit ( 0 )  ; 

} 

} 

GF4_table . f ield_size  =  4; 

GF4_table . extn_degree  =  2; 

GF4_table . prev_f ield_size=l ; 

GF4_table.prev  =  NULL; 

GF4_table . next  =  &GF16_table; 

GF4_table . root_name  =  'a'; 

for  (int  i  =  0;  i  <  15;  i++) 

{ 

GFl 6_table . curr [ i ]  =  new  int_type[2]; 
if  (GFl 6_table . curr [ i ]  ==  NULL) 

{ 

printf ( "Error  allocating  sub-array  in  GF16.  i  =  %d 
exitingVn",  i)  ; 

exit ( 0 ) ; 

} 

} 

GFl 6_table . f ield_size  =  16; 

GFl 6_table . extn_degree  =  4; 

GFl 6_table . prev_f ield_size  =  4; 

GFl 6_table . prev  =  &GF4_table; 

GFl 6_table . next  =  &GF256_table; 

GFl 6_table . root_name  =  'b'; 

for  (int  i  =  0;  i  <  255;  i++) 

{ 

GF256_table . curr [ i ]  =  new  int_type[2]; 
if  (GF256_table . curr [ i ]  ==  NULL) 

{ 

printf ( "Error  allocating  sub-array  in  GF256.  i  =  %d 
exitingVn",  i) ; 

exit ( 0 ) ; 

} 

} 

GF256_table . f ield_size  =  256; 

GF256_table . extn_degree  =8; 

GF256_table . prev_f ield_size  =  16; 

GF256_table . prev  =  &GF16_table; 

GF256_table . next  =  &GF2tol 6_table; 

GF256_table . root_name  =  'c'; 


for  (int  i  =  0;  i  <  65535;  i++) 

{ 

GF2tol 6_table . curr [ i ]  =  new  int_type[2]; 
if  (GF2tol 6_table . curr [ i ]  ==  NULL) 
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{ 

printf ( "Error  allocating  sub-array  in  GF2tol6.  1  =  %d 

exitingVn",  1) ; 

exit ( 0 )  ; 

} 

} 

GF2tol 6_table . f ield_size  =  65536; 

GF2tol 6_table . extn_degree  =  16; 

GF2tol 6_table . prev_f ield_size  =  256; 

GF2tol 6_table . prev  =  &GF256_table; 

//  GF2tol 6_table . next  =  &GF2to32_table; 

GF2tol6_table.next  =  NULL; 

GF2tol 6_table . root_name  =  'd'; 

/*for  (int  i  =  0;  i  <  (pow(2,  32)-l);  i++) 

{ 

GF2to32_table . curr [ i ]  =  new  int_type[2]; 
if  (GF2to32_table . curr [ i ]  ==NULL) 

{ 

fprintf (stderr,  "Error  allocating  sub-array  in  GF2to32 .  i  = 
%d  exitingVn",  i); 

exit ( 0  )  ; 

} 

} 

GF2to32_table . f ield_size  =  (int)  pow(2,  32); 

GF2to32_table . extn_degree  =  32; 

GF2to32_table . prev_f ield_size  =  65536; 

GF2to32_table . prev  =  &GF2tol 6_table; 

GF2to32_table.next  =  NULL; 

GF2to32_table . root_name  =  'e'; 

*/ 

//build  GF4's  table.  It  is  the  same  every  time  because  there  is 
only  one  primitive  polynomial  over  GF2,  x^2+x+l. 
printf ( "Building  GF4..\n"); 

GF4_table.curr [0] [0]  =  STAR; 

GF4_table . curr [ 0 ] [1]  =0; 

GF4_table . curr [ 1 ] [0]  =0; 

GF4_table.curr [1] [1]  =  STAR; 

GF4_table . curr [ 2 ] [0]  =  0; 

GF4_table . curr [ 2 ] [1]  =  0; 


} 

int  main (int  argc,  char  **argv) 

{ 

NumVector  V; //vector  that  holds  the  constant  coefficients  of 
primitive  polynomials  over  the  current  field 

NumVector :: iterator  my_iter;//an  iterator  that  runs  through  the 

vector 

parse_args (argc,  argv) ; 

sanity_check_num  =  high_bit_pos (STAR) ; //sanity_check_num  is  used 
to  make  sure  there  are  no  overflows  in  the  calculations 
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printfC'STAR  is  %x\n",  STAR); 
build_table_memory ( ) ; 

//********do  below  when  you  want  to  follow  one  path  down  the  field 
extensions 

printf ( " \nbuilding  GF16  with  x^2+x+%c^l",  GFl 6_table . prev- 
>root_name) ; 

build_extn_f ield (GFl 6_table,  1); 

calc_roots (GFl 6_table,  GFl 6_table . f ield_size,  1, 

GFl 6_table . extn_degree ) ; 

reset_regs ( )  ; 

printf (" \nGF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+%c^l. 
GF256  built  with  x^2+x+%c^7",  GFl 6_table . prev->root_name, 

GF256_table . prev->root_name) ; 

build_extn_f ield (GF256_table,  7) ; 

calc_roots (GF256_table,  GF256_table . f ield_size,  1, 

GF256_table . extn_degree) ; 

reset_regs ( )  ; 

printf (" \nGF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+%c^l. 
GF256  built  with  x^2+x+%c^7.  Gf2tol6  build  with  x^2+x+%c^ 1 1 . " , 
GF16_table . prev->root_name,  GF256_table .prev->root_name, 

GF2tol 6_table . prev->root_name) ; 

build_extn_f ield (GF2tol 6_table,  11) ; 

calc_roots (GF2tol 6_table,  GF2tol 6_table . f ield_size,  1, 

GF2tol6_table . extn_degree) ; 


/*  reset_regs ( ) ; 

printf (" \nGF4  built  with  x^2+x+l.  GF16  built  with  x^2+x+%c^l. 
GF256  built  with  x^2+x+%c^7 .  Gf2tol6  build  with  x^2+x+%c^ll.  GF2to32 
built  with  x^2+x+%c^l9 . " ,  GF16_table .prev->root_name,  GF256_table .prev- 
>root_name,  GF2tol 6_table . prev->root_name,  GF2to32_table . prev- 

>root_name) ; 

build_extn_f ield (GF2to32_table,  19) ; 

calc_roots (GF2to32_table,  GF2to32_table . f ield_size,  1, 

GF2to32_table . extn_degree) ; 

*/ 

//*******end  straight  run  through  fields 

//*******do  below  when  you  want  to  run  through  all  of  the  fields 
iterively 
/* 

printf (" \nbuilding  GF16  with  x^2+x+%c^2",  GFl 6_table . prev- 

>root_name) ; 

build_extn_f ield (GFl 6_table,  2); 

//  print_table (GFl 6_table ) ; 

V  =  coset_trace (GF16_table)  ; 

calc_roots (GFl 6_table,  GFl 6_table . f ield_size,  1, 

GFl 6_table . extn_degree ) ; 

my_iter  =  V.beginO; 
while  (my_iter  !=  V.endO) 

{ 

reset_regs ( )  ; 
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printf ( " \nGF4  built  with  x^2+x+l.  GF16  built  with 
x^2+x+%c^2.  GF256  built  with  x^2+x+%c^%d" ,  GFl  6_table . prev->root_name, 

GF256_table . prev->root_name,  *my_iter) ; 

build_extn_f ield (GF256_table,  *my_iter) ; 

NumVector  newV; 

NumVector :: iterator  new_iter; 

newV  =  coset_trace (GF256_table) ; 

calc_roots (GF256_table,  GF256_table . f ield_size,  1, 

GF256_table . extn_degree) ; 

new_iter  =  newV . begin () ; 
while  (new_iter  !=  newV.endO) 

{ 

reset_regs ( )  ; 

printf (" \nGF4  built  with  x^2+x+l.  GF16  built  with 
x^2+x+%c^2.  GF256  built  with  x^2+x+%c^%d.  GF2tol6  built  with 

x^2+x+%c^%d . " ,  GFl 6_table . prev->root_name,  GF25  6_table . prev->root_name, 
*my_iter,  GF2tol 6_table . prev->root_name,  *new_iter) ; 

//  print f ( " \nGF2tol 6  built  with  x^2+x+root^%d\n" , 

*new_iter) ; 

build_extn_f ield (GF2tol 6_table,  *new_iter) ; 
coset_trace (GF2tol6_table) ; 

calc_roots (GF2tol6_table,  GF2tol 6_table . field_size, 
1,  GF2tol6_table . extn_degree) ; 

new_iter++ ; 

}//end  inner  while 

my_iter++ ; 

} / / end  while 

*/ 

//**********g]^^  iterative  run 


} / / end  main 

//circle_add  takes  two  elements  that  you  want  to  circle_add  and  the 
field  that  they  are  in  and  returns  the  results. 

int_type  circle_add(  int_type  left,  int_type  right,  galois_table 
curr_f ield) 

{ 

int_type  f irst_temp_left ,  second_temp_left ,  result_left, 

f irst_temp_rt ,  second_temp_rt ,  result_rt; 

if  (left==STAR) 

return  right; 
else  if  (right==STAR) 
return  left; 
else  if  ( lef t==right ) 
return  STAR; 

else  //neither  have  STAR  as  content  and  they  arent  equal 

{ 
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//fill  temp  regs 

f irst_temp_left  =  curr_f ield . prev->curr [ lef t ] [0]; 
f irst_temp_rt  =  curr_f ield . prev->curr [ lef t ] [1]; 
second_temp_left  =  curr_f ield . prev->curr [ right ] [0]; 
second_temp_rt  =  curr_f ield . prev->curr [ right ] [1]; 

//circle  add  component  wise,  starting  with  left 
result_left  =  circle_add ( f irst_temp_left ,  second_temp_left , 
* (curr_field.prev) ) ; 

//circle  add  component  wise,  now  with  right 

result_rt  =  circle_add ( f irst_temp_rt ,  second_temp_rt , 
* (curr_field.prev) ) ; 

//need  to  find  row  in  the  prev  field  where  result_left  and 
result_rt  are  located 

for(int  j  =  0;  j  <  (curr_field.prev_field_size  -  1);  j++) 

{ 

if  ( ( curr_f ield . prev->curr [ j ] [ 0 ] ==result_left )  && 

( cur r_f ield . prev->curr [ j ] [ 1 ] ==result_rt ) ) 

return  j; 

}//end  for 
}//end  else 

}//end  circle  add 

/ /build_extn_f ield  takes  galois_table  struct  and  the  constant 

coefficient  of  the  primitive 

//  polynomial  that  you  want  to  build  the  field  with  and  runs  through 
the  Galois  shift 

//register  in  order  to  build  the  field.  It  puts  each  nonzero  element  in 
the  table. 

void  build_extn_f ield (galois_table  Stable,  int_type  multiplier) 

{ 


dump_regs (table,  0)  ; 

for  (int  row  =  1;  row  <  table . field_size  -  1;  row++) 

{ 

/ /print f ( "build_etn_f ield :  : %d\n"  ,  row)  ; 
int  f irst_temp_lef t ,  second_temp_lef t , 

result_left,  f irst_temp_rt,  second_temp_rt , 
result_rt ; 

curr_lef t_reg  =  circle_add (old_left_reg,  old_rt_reg, 

table) ; 

//now  calculate  curr_rt_reg 
if  (old_left_reg  ==  STAR) 
curr_rt_reg  =  STAR; 

else  if ( (old_left_reg  >=  pow(2,  sanity_check_num) )  && 

(multiplier  >=pow(2,  sanity_check_num) ) ) 

{ 

fprintf  (stderr,  "Numbers  are  out  of  range.  Need  more 
bits  in  the  machine . \n" )  ; 

exit  ( 0 ) ; 
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} 

else 

curr_rt_reg  =  (old_left_reg  +  multiplier)  % 
(table . prev_field_size  -  1); 

//put  contents  of  regs  in  table 
dump_regs (table,  row) ; 

//update  reg  values 
old_left_reg  =  curr_left_reg; 
old_rt_reg  =  curr_rt_reg; 

//check  for  root  position 

if ( (curr_left_reg  ==  STAR)  &&  (curr_rt_reg  ==  1)) 

{ 

//printf ( "found  root  at:  %d\n",  row); 
table . root_position  =  row; 

//  printf ("root  position  is:  %d\n", 

table . root_position) ; 

} 


}//end  for 

} 

//coset_trace  goes  through  each  constant  coefficient  to  determine  if 
x^2+x+constant  is 

//irreducible  or  not  by  determining  the  trace  of  the  constant.  If  the 
polynomial  is  irreducible, 

//  it  determines  the  order  of  the  constant  in  the  previous  Galois  field 
to  see  if  it  has  full 

//order  and  therefore  the  polynomial  is  primitive.  If  the  polynomial  is 
primitive,  then 

//coset_trace  determines  the  other  elements  of  the  coset  and  puts  them 
all  in  a  vector. 

//coset_trace  returns  this  vector  in  case  you  want  to  iteratively  run 
through  the  fields. 

NumVector  coset_trace (galois_table  table) 

{ 

int_type  **  trace_table; 
int_type  *  coset_array; 

trace_table  =  new  int_type* [table . extn_degree] ; //trace_table 

holds  a  representation  of  each  element  in  a  coset  that  a  particular 
constant  coefficient  also  belongs  to 

coset_array  =  new  int_type [table . field_size  -  1];  //coset_array 

holds  all  nonzero  elements  of  a  field  and  is  used  to  keep  track  of 
whether  or  not  x^2+x+element  is  irreducible  and  primitive 

int_type  left_trace  =  0;//left  trace  is  the  left  part  of  the 
representation  of  each  element  in  a  coset,  circle_added  together 

int_type  rt_trace  =  0; //right  trace  is  the  right  part  of  the 
representation  of  each  element  in  a  coset,  circle_added  together 

int_type  order; //the  order  of  a  particular  constant  coefficient 
in  the  previous  galois  field 
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NumVector  ret; //the  vector  that  coset_trace  returns;  holds  the 
constant  coefficients  for  each  x^2+x+constant  that  is  primitive  over 
the  current  galois  field 

//make  sure  there's  enough  memory  for  the  tables 
if  ( ! trace_table  | |  ! coset_array ) 

{ 

printf ( "coset_trace :: Error  allocating  memory  for  trace_tale 
or  coset_array\n" ) ; 

exit ( 0 )  ; 

} 

for  (int  i  =  0;  i  <  table . extn_degree;  i++)  //NO  subtracting  from 
extn_degree 
{ 

trace_table [ i ]  =  new  int_type[2]; 
if  (trace_table [ i ]  ==  NULL) 

{ 

printf ( "Error  allocating  trace-table  .  i  =  %d 

exitingVn",  i) ; 

exit ( 0 ) ; 


//initialize  coset  array 

for  (int  k  =  0;  k  <  table . field_size  -  1;  k++) 
coset_array [k]  =  0; 

//find  next  coset_rep,  fill  trace_table,  print  coset, 

//determine  trace,  print  trace.. 

for  (int  j  =  0;  j  <  table . field_size  -  1;  j++) 

{ 

//printf ( "J: [%d/%d] \n  ",  j,  table . field_size  -  1); 
if  (coset_array [ j ] ==0 ) //coset_array [ j ] ==0  means  it  hasn't 
been  checked  yet 
{ 

//  printf ( "coset  rep  is:  C%d\n",  j); 

coset_array [ j ]  =1 ; //coset_array [ j ] ==1  means  it  has 

been  checked  for  being  irred/red 

trace_table [ 0 ]  [0]  =  table . curr [ j ]  [0]; 
trace_table [ 0 ] [1]  =  table . curr [ j ] [1]; 

//fill  trace  table 

for  (int  k  =  1;  k  <table . extn_degree ;  k++) 

{ 

//sanity  check  for  bits 

if (high_bit_pos ( j )  +  high_bit_pos ( (2<< (k-1 ) ) ) 

>=  sanity_check_num  +  1) 

{ 

fprintf (stderr,  "numbers  of  out  range. 
Need  more  bits  in  the  machine"); 

exit ( 0 ) ; 

} 

//offset  is  the  row  in  the  current  galois  field 
table  where  a  coset  member's  representation  is  located 
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int  offset  =  (j*  (  2  <<  (k-l))  )  %  ( 

table . field_size-l )  ; 

/ /print f (" \tK :  [%d/%d] \n", k, 

table . extn_degree) ; 

//  printf("C%d  is  in  this  coset  \n",  offset); 

coset_array[  offset  ]  =  2 ; //coset_array [ j ] ==2 

means  that  it  is  a  coset  member  in  a  coset  where  one  of  the  members 
whose  trace  has  already  been  computed.  Since  elements  in  the  coset  are 
either  all  red/irred,  we  only  need  to  check  one. 

trace_table [k] [0]  =  table . curr [ of f set ] [0]; 
trace_table [k] [1]  =  table . curr [ of f set ] [1]; 

/ /print f (" \tK :  — [%d/%d] \n", k, 

table . extn_degree) ; 

}//end  for  (k=l. .extn_degre) . . 

//determine  trace 

left_trace  = 

circle_add (trace_table [ 0 ] [ 0 ] , trace_table [1][0],  table); 

for  (int  n  =2 ;  n  <  table . extn_degree;  n++) 

{ 

left_trace  =  circle_add ( lef t_trace, 

trace_table [n] [ 0 ] ,  table); 

} 


rt_trace 

circle_add (trace_table [ 0 ] [ 1 ] , trace_table [1][1],  table); 

for  (int  n  =2 ;  n  <  table . extn_degree;  n++) 

{ 

rt_trace  =  circle_add (rt_trace, 

trace_table [n] [ 1 ] ,  table); 

} 


//print  trace 

//printf  ( "trace  of  c  %d  is:  %d  %d\n",  j,  left_trace, 

rt_trace) ; 


if ( ( left_trace==STAR)  &&  (rt_trace==STAR) ) 

//  printf ("x^2  +  x  +  c^%d  is  reducible\n\n" ,  j); 

; //ghetto  hack,  but  oh  well.  semicolon  NOT 
needed  if  the  print  statement  is  not  commented  out. 

else  if  ( (left_trace  ==STAR)  &&  (rt_trace  ==0)) 

{ 

//  printf ("x^2  +  x  +  c^%d  is  irreducibleVn" ,  j); 

order  =  check_order ( j ,  table); 

if  (order  ==  (table . prev_field_size  -  1)) 

{ 

//put  j  in  the  vector 
ret . push_back ( j ) ; 

for  (int  k  =  1;  k  <table . extn_degree; 

k++) 

{ 

//sanity  check  the  bits 
if  (high_bit_pos ( j  )  + 

high_bit_pos ( (2<< (k-l ) ) )  >=  sanity_check_num  +  1) 

{ 
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Numbers  out 


fprintf (stderr, 

of  range.  Need  more  bits  in  the  machine."); 

exit ( 0 ) ; 


%  (  table . field_size-l ) 


offset ) ; 


int  offset  =  (j*  (  2  <<  (k-1))  ) 


//put  coset  members  in  here 
ret . push_back (offset ) ; 

//printf ( "C%d  is  in  this  coset  \n", 

}//end  for 


//  printf ("x^2  +  x  +  c^%d  is 

primitive . \n\n" ,  j); 


}//end  if 
else 

//  printf  ("x^2  +  x  +  c^%d  is  not  primitive 

with  period  %d\n\n",  j,  order); 

; //ghetto  hack  again,  semicolon  NOT  needed  if 
the  print  statement  is  not  commented  out. 

}//end  else  if 

elseZ/Trace  should  only  be  one  of  two  things.  if 
trace  is  wrong,  this  will  catch  it  and  give  you  an  error  message. 

{ 

printf  ( "error .  trace  is  *not*  correctin''); 
printf  ("left  trace  =  %d,  rt_trace  =  %d\n", 

left_trace,  rt_trace) ; 

} 

}//end  if 
}//end  for 
printf ( " \n" ) ; 
return  ret; 

}//end  coset_trace 

/ /print_table  prints  the  elements  of  the  field  whose  galois_table 
struct  it  is  passed 

void  print_table  (galois_table  table) 

{ 

int  i ; 

//fprintf (stderr, "  |C  |\n\n"); 

for  (int  i  =  0;  i  <  table . field_size  -  1;  i++) 

{ 

printf ( "root^%d:  ",  i); 
if  (table . curr [ i ] [0]  ==  STAR) 
printf ( "STAR, " ) ; 

else 

printf ("%4d, ",  table.curr[i]  [0] ) ; 

if  (table . curr [ i ] [1]  ==  STAR) 
printf ( "STAR\n" ) ; 

else 

printf ("%4d\n",  table.curr[i]  [1] ) ; 
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} 

}//end  print_table 

//check_order  takes  a  field  element  and  finds  its  order  in  the  previous 
galois  field,  returns  the  order.  check_order  assumes  the  element  passed 
to  it  is  not  0  !  !  ! 

int_type  check_order ( int_type  number,  galois_table  table) 

{ 

//find  order  of  number  in  prev_field 
//  ***  assumes  number  is  not  0!  *** 
int_type  test  =  number; 
int_type  order  =  1; 

while  (test  ! =  0 ) 

{ 

test  =  (test  +  number)  %  (table . prev_field_size  -  1); 
order++ ; 

} / / end  while 

return  order; 


}//end  check_order 

//calc_roots  prints  out  the  location  in  the  current  field  of  all 
previously  seen  roots 

void  calc_roots (galois_table  table,  int_type  top_f ield_size,  int_type 
prev_root_pos,  int_type  times) 

{ 

int_type  curr_root_pos ; 

if (high_bit_pos (prev_root_pos )  + 

high_bit_pos (table . root_position)  >=  sanity_check_num  +1  ) 

{ 

fprintf  (stderr,  "Numbers  of  out  range.  Need  more  bits  on 
the  machine . " ) ; 

exit  ( 0 ) ; 

} 


curr_root_pos  =  (prev_root_pos  *  table . root_position)  % 

(top_f ield_size  -  1); 

//  printf ( "prev_root_pos  is:  %d  table . root_position  is:  %d 

top_f ield_size  is:  %d  curr_root_pos  is:  %d\n",  prev_root_pos , 
table . root_position,  top_f ield_size,  curr_root_pos) ; 

if (times  ==  4) //last  time 

{ 

printf ( "position  of  root  from  degree  %d  extension  is: 
%d\n",  times,  curr_root_pos ) ; 

} 

else  if  (times  >  4) //not  last  time,  so  waant  to  print  stuff  and 
call  function  again 
{ 
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printf ( "position  of  root 
%d\n",  times,  curr_root_pos ) ; 

calc_roots (* (table .prev)  , 

(times/2 ) )  ; 

} 


from  degree  %d  extension  is: 
top_f ield_size,  curr_root_pos. 


}//end  calc_roots 

//high_bit_pos  takes  a  number  and  returns  the  highest  bit  position 
needed  to  represent  the  number  in  binary 
int_type  high_bit_pos ( int_type  number) 

{ 

int_type  count  =  0; 

for(int_type  temp  =  number;  temp>l;  temp  =  temp  >>1) 

{ 

count++; 

} 

return  count; 

}//end  high_bit_num 
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APPENDIX  E.  CHARTS 


Appendix  E  contains  the  charts  that  are  a  visual  representation  of  the  fields 
generated  by  polynomials  of  the  form  +x  +  a‘  for  a  primitive  element  a  .  These  charts 
also  show  which  powers  of  the  current  primitive  root  are  equal  to  previous  primitive 
roots. 
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Used  to  Create: 


<M  1 _ i 

CM^  V  ^ 

C\J 

CO  ' 
^  C\J 

u. 

LL 

U- 

0 

0 

0 

<o 

LL 

O 


73 


,2^,^212  ,2^^^217  ,2^^^^23«  Ax^c^S^  x^+x.c^^ 

d*21845=a  dM3690=a  d'*2184S^  dM3890sa  dMOeM^a  d'^1845=a 

d"61l66=b  d*66797=l)  d'04952ab  dM3693b  d''3058a=b  d'^116&ib 

dM3433=c  d‘'21331=c  d*534S6=c  dM1377cC  d''50629=c  ^  d''35723=c 


Used  to  Create: 


tfi  (9 
X  05  K 


74 


Used  to  Create: 


5 

3  (D  <vj 
5  r5  <0  K 

-a  -a  T3 


1 

■  m  (b  ^ 

!i!S£S 

X  *0  TJ  "O 


5  v^l 

o  N  ri 


(0 
<1 

%ob 
^  ^  ^  ^ 
X  ^ 


“O  -O 


_  ed  jO  g 

w  <o  in  00 

TJ  -O  *0 


OJ 


S  III 

U  krt  ^ 


^  S  o 


X 

+  - 


X  *0  *0 


5f 


■s  9 

O)  ^ 


N.  Cd 

2  I 

^  S  O  O 

"  f  S 


X  f-  - 

.  +  CJ 


X  *0  *0  TD 


CO  Cd 

s  J( 

<f  c\i 
CSJ  < 
X  *o 


i?  V 

Sg5 

V  CD 

?? 

•o  *0 


i 


V 

u  s  s  s 
isss 
*?  <  r 


K.  (d 
m  u 
° 

X 


^  52  V  » 

•o  *0 


^  ’■s'' 


TJ  ^  T3 


S5 

2  O  CA  ^ 
*'  ID  -O  ■O 


5  m  Jv  R! 

<M"‘?rr 

X  ID  -O  ■O 


•^o  m  o)  ^ 
Y  ^  to  OJ 
3  ^  Q  CO 

5  »-  *  eo 


s 

‘"o  CO  O) 

5S£S 

^  -o  *o  "O 


(d  iO  o 
U  II  il 

geo  CM 
OO  ^ 
I  CM 

CM 


R!  ^f5i 

CM  \n  03 

^ss 

k 

isi 

< 

X  -a  -c 

■D 

, 

75 


Used  to  Create: 
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